Protectinglnobile 

datayJ'AGE  28 


Bad  Goods 

Anticounterfeiting 
for  fun  and 
profit  PAGE  36 


1  ■  •  \  T  /  • 

I  iTJ j 

_  A. 


Wmm 


'Source:  "Business  Continuity  Unwrapped,"  Continuity  Central,  2006,  www.contiriuitycentral.com/feature0358.htm.  IBM,  the  IBM  logo,  System  p,  Take  Back  Control  and  Tivoli  are 
trademarks  .or  ' 


All  rights  reserved 


s 


Vi 


.INFRASTRUCTURE  LOG 

_DAY  82:  There  are  so  many  risks  out  there.  So  many  things 
that  can  happen  to  our  business:  natural  disasters,  spikes 
in  traffic,  mergers.  How  do  we  prepare?  One  in  three 
companies  don’t  recover  from  unplanned  downtime.1  Would  we? 

_Gil  has  wrapped  everything  in  the  office  with  bubble  wrap. 
Everything.  Just  to  be  safe. 

_DAY  83:  I’m  preparing  with  IBM  Business  Resilience  Solutions. 
IBM  Business  Continuity  Services  can  help  us  assess  our  risks 
and  design  a  proactive  plan  to  deal  with  them.  IBM  Tivoli  gives  us 
the  visibility  to  diagnose  and  fix  infrastructure  problems. 

And  the  robust  availability  features  of  the  IBM  System  p™  give 
us  maximum  uptime.  The  future  feels  so  much  safer  now. 

_No  more  bubble  wrap.  And  I  have  to  mail  a  package.  Great. 


if 

H 


-7 


i  -■■■; 


m 


SSRS 


Take  the  business  continuity  assessment  at: 

IBM.COM/TAKEBACKCONTROL/READY 


March,  2008  Vol.  7,  No.  2 


Features... 

22  Gaming  the 
System 

Cover  Story  |  SEO  Search  Engine 
Optimization  is  the  trick  to  winning 
online  revenue.  What  happens  when 
hackers  start  going  after  the  prize? 
Step  right  up  and  see!  (Part  one  of 
two)  By  Scott  Berinato 

28  Protecting  the 
Mobile  Workforce 

Mobile  Security  Seven  ways  to 
safeguard  your  company’s  roaming 
data  from  thieves,  hackers,  viruses  and 
just  plain  stupidity.  By  Stacy  Collett 

32  Why  Johnny  Long 
Hacks  Stuff 

Interview  The  self-described  Chris¬ 
tian  hacker  talks  about  how  he  wrote 
No  Tech  Hacking  and  how  he’s  trying 
to  get  the  hacking  community  to  do 
charity  work.  By  Katherine  Walsh 


Also  Inside... 


4  From  the  Editor 

4 

6  From  the  Publisher 

8  Toolbox 
A  Buyer’s  Guide  to 
Network  Cameras  Do 

you  want  full  or  partial 
IP?  How  much  bandwidth? 

And  what  about  vendor 
compatibility?  We’ll  walk 
you  through  the  entire 
process.  ByMaryBrandel 

15  Briefing 

California  takes  aim  at  medical 
records  breaches;  What  you 
don’t  know  about  ways  into 
your  applications  can  hurt  you; 
Breaking  down  the  outcome 
of  a  security  investigation  into 
the  misuse  of  government 
resources;  5  ways  to  build  a 
case  for  business  continuity; 
Moody’s  wants  to  rate  security, 
not  just  securities;  Safe  social 
networking 


36  A  Case  for 
Anticounterfeiting 
Undercover  Wherein 
ourCSO  makes-and 
proves-the  argument  that 
anticounterfeiting  should 
be  a  security  function. 

38  Spy  Versus  Spy 
Industry  View  A  CIA 

veteran  looks  at  today’s  shrill 
warnings  of  nation-based 
economic  espionage. 

By  Christopher  Burgess 

40  Debriefing 

Taser  Party 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.0.  Box  9208,  Framingham,  M  A  01701-9208.  Periodical  Postage  Rate  at 
Framingham,  MA  01701,  and  at  additional  mailingoffices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.  Box  1632,  Windsor,  ON  N9A7C9.  Copyright2008  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearingin  CSO  isforbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  orthe  internal  or  personal  use  of  specific  clients  is  granted 
byCSOforusersthrough  theCopyright  ClearanceCenter,  provided  that  afeeof  $3.50  percopy  of  the  article  is  paid  directly  to  Copyright  Clearance  Center,  222  Rosewood  Drive,  Danvers,  MA  01970.  www.copyr/g/tt.com.Pleasespecify: 
ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  artides-followed  by  thissymbohj.  Address  inquiriesto  CSO,  P.O.  Box  3482,  Northbrook,  IL60065;  866354-1125.  CSO  is  free  to  qualified  security  executives. 
To  all  others  the  one-year  basic  rate  is  $70for  the  United  Statesand  Canada.  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canada  and  $15  International.  Please  allow  four  tosix  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


2  www.csoonline.com  March  2008 


Cover  illustration  by  Peter  Horvath 


“Jir^e're,  ir\  ferrous  trouble ,aiir nemtPS 
Junker  is  refe re//  cuffing  jnfr  our  p0fsiy 
faur/NO  nil  fhe  unrU's  rnspb/e  flPfulttffS, " 


■■■■■■■■■ 


»  Troubled  by  evolving  network  threats?  As  you  open  up  the  network  to  more  users 
and  deploy  newer  apps  and  business  initiatives,  your  security  should  keep  pace.  Only 
Juniper  Networks  gives  you  unprecedented  protection  from  attacks  while  providing 
visibility  across  the  network.  So  defend  against  application-layer  threats  and  minimize 
downtime.  Deliver  valuable  assets  to  a  wider  base  of  users.  Adhere  to  regulatory 
compliance  requirements. 

Juniper’s  broad  security  portfolio  lets  you  leverage  the  network  in  new  ways,  to  achieve 
greater  business  goals.  The  switch  is  on  to  Juniper  Networks:  www.juniper.net/secure 


Juniper  „ 

O  Net. 


1.888.  JUNIPER 


FROM  THE  EDITOR 


Game  Time 

The  Internet  has  been  compared  a  million 
times  to  the  Wild  West.  The  analogy  is 
rather  threadbare  by  now,  but  it’s  hard  to 
come  up  with  a  better  way  to  describe  the 
landscape  of  search  engine  optimization.  Web 
commerce  is  a  high-stakes  game  of  saloon 
poker.  As  with  any  high-stakes  game,  there 
are  good  players,  inept  players  and  also  lots  of 
people  of  dubious  character  floating  around 
trying  to  find  an  angle.  Every  once  in  a  while, 
a  kerfuffle  breaks  out  and  somebody  gets  a 
beer  bottle  over  the  head. 

Search  engine  optimization-the  art  and/or 
science  of  coming  up  high  on  the  results  page 
for  any  particular  search-is  one  of  the  skills 
that  sets  apart  the  best  players.  But  there  is 
nothing  inherently  good  or  bad  about  SEO. 
Some  SEO  activity  is  entirely  aboveboard. 

Some  of  it  is  like  card  counting-not  illegal, 
but  against  the  house  rules.  And  some  SEO 
is  downright  dirty.  It’s  one  of  the  ways  that 
cheaters  can  try  to  cheat. 

SEO  is  a  subject  near  and  dear  to  my  own 
heart.  It’s  become  an  essential  skill  for  anyone 
who  publishes  on  the  Web  as  we  do  at 
CSOonline.com  (which,  by  the  way,  will  be 
redesigned  and  relaunched  this  spring).  So 
it  has  been  very  interesting  indeed  to  watch 
Executive  Editor  Scott  Berinato  delve  into 
the  topic  of  SEO  and  examine  the  good,  the 
bad  and  the  ugly  of  that  world.  The  first  half 
of  his  report  appears  on  Page  22  of  this  issue, 
looking  at  the  collision  of  the  search  world 
with  that  of  gray-  and  black-hat  hacking.  This 
intertwining  was  perhaps  inevitable,  given  the 
amount  of  money  in  the  pot,  and  the  fact  that 
at  some  level  both  hackers  and  SEOs  (regard¬ 
less  of  hat  color)  are  engaged  in  deciphering 
and  manipulating  the  way  machines  interpret 
the  world. 


The  beleaguered  search  companies-the 
frontier  sheriffs  in  this  scenario,  well  armed 
but  tasked  with  enforcing  a  not-yet-complete 
code  of  law-continue  to  tweak  and  rejigger 
their  systems’  algorithms.  They  have  shifted 
some  of  their  emphasis  from  what’s  on  the 
page  of  a  given  site  (which  is  easy  for  the  site 
owner  to  manipulate)  to  what  other  sites  have 
linked  to  that  site  (which  can  still  be  manipu¬ 
lated,  but  isn’t  quite  as  easy).  The  name  of 
the  game,  ultimately,  is  trust:  Which  sites  are 
completely  trustworthy,  which  ones  exist  only 
to  scam  money  from  Google  or  from  other 
businesses,  and  how  do  you  make  sense  of 
the  vast  number  of  sites  that  fall  somewhere 


in  between?  It  will  be  more  than  interesting 
to  watch  the  gradual  process  of  determining 
what  constitutes  fair  play. 

After  all,  this  is  a  game  where  my  company 
has  chips  on  the  table. 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Executive  Editor  Scott  Berinato 
Managing  Editor  Sarah  D.  Scalet 
Staff  Writer  Katherine  Walsh 
Copy  Editor  Susan  Bryant-Still 
Associate  Copy  Editor 
Kristin  Burnham 

Editorial  Assistant  Jarina  D’Auria 
Editorial  Administrator 
Jill  Paquette 
Contributors 

Mary  Brandel,  Stacy  Collett, 
Christopher  Burgess 

DESIGN 

Executive  Director,  Art  and 
Design  Mary  Lester 
Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 
Senior  Research  Analyst 

Seanna  Maguire 

ONLINE  EDITORIAL 

Online  Editorial  Director 
Christopher  Lindquist 
Online  Managing  Editor 
Michael  Goldberg 
Senior  Online  Editors 
Meridith  Levinson,  Shawna  McAlearney, 
Esther  Schindler 
Associate  Online  Editor 
Diann  Daniel 
Online  Writer  Al  Sacco 

CXO  MEDIA/IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

TECHNICAL  ADVISORY  BOARD 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

C  X  O  \  M  £  D  I  A  INC. 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO 

Bob  Carrigan 


#BPA 


WORLDWIDE" 


A  www.csoonline.com 


March  2008 


Photo  by  Webb  Chappell 


Certified  Information  Systems  Auditor 


www.  isaca.  org/csomag 


CERTIFIED  INFORMATION 
SECURITY  MANAGER* 


[  FROM  THE  PUBLISHER  ] 


The  Value 
of  Data 


I  am  fortunate  in  my  position  to  have  the 
opportunity  to  speak  with  many  of  our 
market’s  thought  leaders.  I’ve  recently  had 
some  conversations  about  the  value  of  data 
with  a  number  of  such  folks,  including  Rena 
Mears  from  Deloitte.  That  discussion  has  me 
thinking  in  a  whole  new  way  about  data,  its  value 
and  the  risk  associated  with  it. 

Assigning  monetary  value  to  data  is  a 
concept  that  few  businesses  seem  to  be 
embracing,  although,  even  from  a  cursory 
examination,  it  would  seem  to  make  a  great 
deal  of  sense  to  do.  We  treat  everything  else  in 
our  organizations  as  assets  with  measurable 
financial  value:  inventory,  people,  property, 
etc.  But  when  was  the  last  time  you  sat  down 
and  calculated  a  dollar  value  for  your  customer 
database?  My  guess  is  that  it  has  never  been 
done. 

So  what  would  go  into  such  a  calculation? 

You  should  certainly  consider  past,  current 
and  future  earnings  per  record  in  the  database. 
Most  organizations  can  tell  you,  with  a  fair 
degree  of  certainty,  how  much  revenue  they 
can  expect  an  account  to  spend  with  them  in 
the  future  based  on  past  performance.  Over 
the  years,  certain  industries  have  been  very 
successful  at  this  type  of  forecasting  based  on 
a  variety  of  sales  and  performance  metrics  that 
they  track.  Those  metrics  are  usually  maintained 
by  the  finance  and/or  sales  departments. 

Now  that  you  have  assigned  a  monetary 
value  to  your  data,  it’s  time  to  take  a  look  at  risk. 
The  loss  of  any  data  that  you  maintain,  particu¬ 
larly  if  that  data  contains  information  subject 
to  regulatory  control  (Social  Security  numbers, 
etc.),  carries  a  certain  amount  of  risk  if  that  data 
were  to  be  lost,  damaged  or  stolen.  It’s  the  same 
as  if  you  had  inventory  lost,  damaged  or  stolen. 
As  you  accumulate  more  of  that  data,  the  risk  of 
loss  goes  upas  well. 


While  businesses  have  aggregated  data 
over  the  years,  with  little  regard  to  the  quality 
or  value  of  that  data,  they  have  often  failed  to 
ask  whether  they  are  getting  any  kind  of  an  ROI 
from  it.  As  a  critical  component  in  determining 
the  value  of  data,  ROI  would  be  a  significant 
contributor  to  an  evaluation  of  relative  risk.  This 
analysis  allows  you  to  answer  questions  of  risk 
versus  return:  If  you’re  not  getting  a  good  ROI 
on  your  data  but  it  presents  you  with  significant 
risk,  should  you  hold  on  to  it?  If  the  data  is  valu¬ 
able  and  has  a  good  ROI  but  the  risk  is  too  high, 
should  you  get  rid  of  it?  At  the  end  of  the  day, 
these  answers  will  be  unique  to  your  specific 


organization  and  its  willingness  to  accept-or  its 
desire  to  avoid-risk. 

Are  you  valuing  the  risk  of  your  data?  Let  me 
know  at  my  e-mail  below  what  you’re  doing  and 
how  it’s  working.  I’ll  post  your  feedback  in  my 
blogonCSOonline.com. 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 


ASIS  International  . 19 

BigFix  Inc . 17 

Garda . 7 


HID  Corp . 

. 35 

IBM  Corp . 

. C2,  C4 

ISACA . 

. C3, 5, 11 

(ISC)2 . 

. 14 

Juniper  Networks  Inc . 3 

Protegrity  Corp . 39 

RSA  Security  Inc . 13 

SecureWorks . 9 


President  and  CEO 
Michael  Friedenberg 
Publisher  Bob  Bragdon 
Senior  Ad  Sales  Associate 
Christine  McKay 
East  Coast  Regional  Manager 
Roz  Burke 

Regional  Sales  Manager  Matt  Knuth 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

Vice  President,  Online  Sales 
Brian  Glynn 

Online  Regional  Sales  Manager 
Richard  Hartman 
Online  Regional  Sales  Manager, 
West  Coast  Erika  Karr 
Online  Regional  Sales  Manager, 
Midwest  Sarah  Gaskin 
Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 
Jennifer  Malkasian,  Valerie  Sumner 
Online  Advertising  Specialist 
Barbara  Sullivan 
Online  Sales  Associate 
Erin  Sullivan 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Matt  Avery 
National  Sales  Director 

Adam  Dennison 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 
Associate  Production  Manager 

Lisa  M.  Stevenson 

EXECUTIVE  PROGRAMS 

VP,  Executive  Programs 

Ellen  Daly 

Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 
Deb  Begreen 
National  Sales  Manager 
Per  Melker 

Event  Planner  Sarah  Reagan 
Registration  Specialist  Cress  O’Brien 
Client  Services  Specialist  Erica  Foster 

LIST  SERVICES 

Contact  Paul  Capone  of 
IDG  List  Services  at  508  370-0865  or 
pcapone@idglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  150, 
cso@theygsgroup.com 


6  www.csoonline.com  March  2008 


Photo  by  Christopher  Navin 


For  decades,  Fortune  500  corporations  and  sensitive  government 
agencies  alike  have  trusted  Vance  Uniformed  Protection  to  secure 
personnel,  property  and  assets.  Strict  screening  produces  quality 
security  officers.  Rigorous  training  and  supervision  requirements  yield 
consistent,  reliable  services  that  reduce  risk  and  deter  criminal  activity. 
Now  part  of  Garda,  Vance  Uniformed  Protection  continues  to  deliver 
unsurpassed  value,  maximizing  client  budgets  by  offering  superior 
security  programs  at  a  competitive  price. 


In  fact,  only  our  name  has  changed.  The  same  men  and  women— 
from  the  company’s  seasoned  management  team  to  its  experienced 
security  officers— provide  exceptional  value  and  service  with  a  total 
commitment  to  quality,  day  in  and  day  out. 

Under  the  Garda  name,  Vance  Uniformed  Protection  experts 
continue  to  protect  your  people  and  assets.  We  use  the  same 

screening,  training,  employee-retention  programs  and  the  same 
quality-assurance  standards  to  deliver  the  service  consistency 
and  peace  of  mind  that  you  have  come  to  expect. 


Contact  our  experts  at  800.533.6754  or  info@gardasecurity.com 
to  upgade  your  security  program,  gardasecurity.com 


GARDA 

FORMERLY  VANCE 


Consistent  service  Experienced  team  Exceptional  value  Reduced  risk  Peace  of  mind 


Vance  Uniformed  Protection  is  now  Garda  - 

A  new  name  for  the  security  team  you  know  &  trust 


TACTICS 


By  Mary  Brandel 


A  Buyer’s  Guide  to  Network  Cameras 

Do  you  want  full  or  partial  IP?  How  much  bandwidth?  And  what  about 
vendor  compatibility?  We’ll  walk  you  through  the  entire  process. 


Network  cameras  for  IP- 
based  video  surveillance 
systems  have  been  around 
since  1996,  when  market 
leader  Axis  Communica¬ 
tions  introduced  the  first  one  to  the  market. 
These  are  attached  directly  to  the  network 
and  send  video  to  a  network  video  recorder 
or  to  a  server  equipped  with  video  manage¬ 
ment  software,  which  stores,  displays  or 
broadcasts  the  images.  It  will  be  another 
five  years,  according  to  consultancy  and 
research  firm  Gartner,  before  the  market 
favors  IP  over  analog.  However,  IP  cam¬ 
eras  are  considered  a  fast-growing  mar¬ 
ket;  according  to  IMS  Research,  the  global 
network  video  market  grew  42  percent  last 
year  and  is  expected  to  reach  $2.6  billion  by 
2010. 

Experts  say  the  reasons  for  analog’s  con¬ 
tinued  dominance  center  mainly  around 
upgrade  costs  and  a  general  lack  of  knowl¬ 
edge  about  networking  technologies  in 
many  physical  security  departments. 


Two  Key  Decisions 

When  looking  at  your  options,  the  first 
thing  you  need  to  consider  is  whether  you 
should  use  full  or  partial  IP. 

You  can  still  get  some  of  the  advantages 
of  IP  while  maintaining  your  investment 
in  analog  by  using  encoders  that  convert 
the  analog  signal  to  one  that  can  run  over 
IP.  Leaders  in  analog-to-digital  systems  are 


Pelco,  the  “8oo-pound  gorilla  of  the  analog 
world,”  according  to  Steve  Hunt,  founder 
of  security  think  tank  4A  International; 
and  Bosch  Security  Systems,  another  tra¬ 
ditional  analog  supplier. 

According  to  Hunt,  these  systems  work 
well  but  are  not  architected  for  growth. 
“With  an  IP-based  system,  I  can  use  a  24- 


port  switch  to  plug  in  anything  I  want  on 
the  network,  but  [these  companies]  are 
building  their  own  proprietary  network,” 
he  says.  Full  IP  installations,  he  says,  are 
more  streamlined  and  efficient  and  require 
less  maintenance.  “They’re  digital  from  one 
end  to  another  and  are  very  reliable  because 
there  are  fewer  moving  parts,”  he  says. 


1 


8  www  csoonline.com  March  2008 


Illustration  by  James  O'Brien 


The  next  attack 
can  come  from 
anywhere. 


Fortunately, 
that’s  where 
we’re  looking. 


Vigilance  requires  resources.  But  outsourcing 
security  should  do  more  than  lower  your 
costs.  It  should  lower  your  risk. 


SecureWorks  does  just  that.  Our  industry¬ 
leading  counter-threat  unit,  round-the-clock 
analysts,  and  state-of-the-art  threat  correlation 
platform  let  us  go  beyond  satisfying  your 
compliance  requirements  —  we  safeguard 
your  reputation. 


SecureW^ks 


www.secureworks.com 


©2007  SecureWorks,  all  rights  reserved.  SecureWorks  and  the 
SecureWorks  logo  are  registered  trademarks  of  SecureWorks. 


>>  TOOLBOX 


But  for  North  Carolina  State  University, 
analog-to-digital  cameras  from  Pelco  were 
the  best  choice  for  upgrading  its  previously 
diverse  video  surveillance  system  in  mid- 
2004,  according  to  Scott  Mclnturf,  project 
manager  of  the  AllCampus  Network  at  N.C. 
State.  “It  was  the  early  days  of  IP  cameras, 
so  we  felt  more  comfortable  with  analog,” 
he  says.  At  the  time,  network  cameras 
didn’t  have  features  like  backlight  compen¬ 
sation  and  a  wide  selection  of  lenses.  “The 
advantage  of  using  analog  cameras  con¬ 
nected  to  an  IP  encoder  is  we  can  pick  any 
camera  we  want  that  will  fill  our  need  for 
lighting  and  environmental  conditions,”  he 
says.  Network  cameras  are  fast  catching  up 
with  analog  in  terms  of  breadth  of  features, 
according  to  analysts.  N.C.  State  also  uses 
purely  IP-network  cameras  from  Axis  that 
other  departments  had  already  invested  in. 

Second,  consider  if  there  is  enough 
bandwidth  on  the  corporate  backbone. 


Because  IP-based  surveillance  places 
new  demands  on  existing  network  infra¬ 
structures,  the  physical  security  depart¬ 
ment  has  to  work  with  IT  to  implement  or 
even  choose  the  best  system,  which  means 
overcoming  a  traditional  barrier  between 
the  two  groups.  Network  cameras  are  “forc¬ 
ing  these  two  groups  together,  but  they’re 
kicking  and  screaming  and  reluctant  to  do 
so,”  Hunt  says. 

The  best  decisions  on  network  design 
will  be  made  jointly  between  the  two  groups, 
says  Jeff  Vining,  research  vice  president  at 
Gartner.  For  instance,  because  streaming 
live  video  is  bandwidth-intensive,  it  can  be 
too  costly  to  upgrade  networks  or  too  dif¬ 
ficult  to  use  in  situations  where  there  are 
many  users.  To  optimize  bandwidth,  you 
may  need  to  use  application  delivery  con¬ 
trollers  and/or  wide-area-network  optimi¬ 
zation  controllers,  he  says. 

Even  when  bandwidth  is  plentiful,  the 


two  groups  need  to  communicate,  Mclnturf 
says.  “Because  we  have  a  robust  network 
and  the  cooperation  of  the  network  tech¬ 
nology  group,  we  were  able  to  use  our  exist¬ 
ing  network  that  we  partitioned  for  security 
applications,”  he  says. 

Evaluation  Criteria 

The  range  of  features  available  on  network 
cameras  is  constantly  changing,  but  here 
are  some  basic  things  to  look  for,  according 
to  analysts. 

Field  of  view.  According  to  Vining,  most 
applications  call  for  a  240-degree  field  of 
view  and  a  zoom  capability  of  500  feet.  For 
those  who  need  more,  there  are  pan/tilt/ 
zoom  (PTZ)  cameras,  which  can  provide 
360-degree  views.  These  can  cost  more 
than  twice  as  much  as  fixed  cameras,  Vin¬ 
ing  says,  and  normally  require  more  main¬ 
tenance  because  of  their  moving  parts. 

Bandwidth:  It’s  a  huge  issue,  especially 
as  demand  grows  for  more  cameras  on  the 
network  and  higher-resolution  images. 
You  can  reduce  bandwidth  consumption 
by  putting  intelligence  into  the  camera, 
says  Simon  Harris,  senior  analyst  at  IMS 
Research,  so,  for  instance,  only  certain 
images  are  forwarded.  However,  that 
means  you’re  not  recording  nonevents  that 
may  supply  needed  context.  “You  need  to 
use  that  selectively,”  he  says. 

Camera  manufacturers  differ  in  band¬ 
width  consumption,  says  Anthony  Bastian, 
security-over-IP  manager  at  AMS.Net,  an 
IP  convergence  integrator.  For  instance, 
he  says,  packets  sent  from  Verint  Systems 
cameras  are  almost  half  the  size  of  those 
sent  from  Sony  equipment.  Both  use  the 
MPEG4  compression  algorithm,  but  there’s 
more  overhead  data  in  Sony’s  case. 

DVTel  uses  multicasting  to  reduce 
bandwidth,  Mclnturf  says.  In  other  words, 
when  multiple  people  are  viewing  a  video, 
instead  of  each  camera  sending  out  an  indi¬ 
vidual  stream,  the  signal  is  broadcast  from 
the  server  without  duplicating  streams. 

Power  source:  The  state-of-the-art 
approach  for  network  cameras  is  to  use 
power  over  Ethernet  (POE),  which  means 
you  power  the  camera  through  the  same 
wire  that  sends  the  IP  signal,  saving  up  to 
$300  per  camera,  according  to  Axis  Com¬ 
munications.  POE  is  not  always  available 
on  PTZ  cameras,  however,  because  of  the 
amount  of  power  they  consume,  Bastian 


Market  Share 

According  to  IMS  Research,  the  network  surveillance  camera 
market  grew  by  42  percent  last  year.  The  market  is  dominated 
by  Axis,  but  there  are  many  other  players  claiming  small  slices 
of  the  pie.  Here  they  are,  in  descending  order  of  market  share. 


AXIS 

First  to  market  with  a  network  camera  in  1996.  Now  offers  the  broadest  range  of 
network  video  surveillance  equipment,  from  entry-level  cameras  to  full-featured 
cameras  for  the  professional  security  market,  in  addition  to  video  servers,  network 
video  recorders  (NVR)  and  video  management  software.  Also  has  an  extensive  net¬ 
work  of  resellers  and  distributors. 

SONY 

Also  has  a  comprehensive  range,  with  16  network  camera  models,  as  well  as  NVRs, 
recording  software  and  video  servers.  Several  of  the  network  cameras  have  intel¬ 
ligent  motion  detection  and  object  detection  capabilities,  using  Sony’s  Distributed 
Enhanced  Processing  Architecture  technology. 

PCC 

The  company  specializes  in  lower-end  cameras,  targeting  residential,  small  retail  and 
SOHO  applications. 

D-LINK 

Primarily  targets  residential,  SOHO  and  small-to-medium  businesses.  Several  camera 
models  have  wireless  capability. 

DVTEL 

One  of  the  first  to  market  with  IP-based  video  management  software,  the  company 
now  also  offers  IP  cameras,  encoders/decoders  and  video  analytics. 

LINKSYS,  A 
DIVISION  OF 
CISCO 

Entry-level  cameras  for  the  residential,  SOHO  and  SMB  markets,  with  very  competi¬ 
tive  prices. 

TOSHIBA 

Offers  box,  dome  and  pan/tilt/zoom  network  cameras  for  professional  security  appli¬ 
cations.  Toshiba’s  cameras  are  characterized  by  good,  low-light  performance,  and  the 
company  was  early  to  market  with  a  megapixel  camera. 

IQINVISION 

Best  known  for  its  megapixel  cameras. 

PANASONIC 

SYSTEM 

SOLUTIONS 

Specializes  in  high-end,  state-of-the-art  cameras,  including  megapixel  cameras.  Pana¬ 
sonic  has  a  long  history  in  the  video  surveillance  market  and  is  the  world’s  largest 
supplier  of  analog  cameras. 

Source:  IMS  Research 


10  www.csoonline.com  March  2008 


ISACA’s  38”’  Annual  North  America  Computer  Audit, 
Control  and  Security  (North  America  CACSSM)  Conference 

The  world's  leading  conference  for  IT  audit, 
control,  security  and  governance  professionals 

27  April-1  May  2008 

Rio  All  Suites  Casino  Resort 
Las  Vegas,  Nevada,  USA 


***► 


gsmjF 

Mr  -:%■ 


_  t  r 

jfc.  £ 

|j| 


m d 


'  '  '  *£  '3  T  •  '  ■  ;>-r. 

T;  •  . 

1 


Conference  Tracks 

■  IT  Audit  Core  Competencies 

■  IT  Audit  Tools  and  Competencies 

■  IT  Audit  Techniques  for  Evaluating  Business  Practices 

■  Compliance  Issues 

■  Control  Methodologies  and  IT  Governance 

■  Information  Security  Practices 

■  FT  Risk  Management 


.  -  i 


www.isaca.org/nacacs 


'■V  .  'J*. 


says.  Axis  also  says  to  ensure  that  the  POE 
feature  complies  with  the  IEEE  802.3af 
standard  so  it’s  compatible  with  network 
switches  from  leading  vendors. 

Resolution:  Many  users  are  moving 
toward  megapixel  cameras,  which  offer  five 
times  the  resolution  of  video  graphics  array 
(VGA)  cameras,  according  to  Jim  Gompers, 
founder  of  Gompers  Technologies  Design 
Group.  Not  only  do  you  get  a  clearer  image, 
he  says,  but  because  of  the  higher  resolution, 
you  can  also  reduce  the  number  of  cameras 
you  need.  On  Gompers’s  recommendation, 
the  Montgomery  County  Public  Schools  in 
Maryland  invested  in  megapixel  cameras 
from  IQInvision,  and  the  images  are  much 
clearer  than  the  previous  analog  system, 
according  to  Robert  Hellmuth,  director  of 
security  and  safety  for  the  school  district. 
“Before,  we’d  see  an  incident  and  play  back 
what  we  recorded,  and  we’d  see  two  figures 
but  couldn’t  identify  them,”  he  says. 

The  best  decisions  on 
network  design  will 
be  made  jointly 

by  IT  and  physical 
security  groups. 

Auto  filtering:  For  image  clarity  in  vari¬ 
ous  lighting  situations,  it’s  important  to  get 
a  camera  with  adjustable  lenses  to  control 
the  amount  of  light  that  is  received.  This  is 
especially  important,  Vining  says,  when  a 
camera  is  facing  east  or  west.  However,  he 
says,  some  organizations  will  simply  ele¬ 
vate  camera  mounts  and  then  angle  down¬ 
ward  to  view  the  horizon  rather  than  incur 
the  additional  costs  of  adjustable  lenses. 

Open  platforms:  Look  for  vendors  that 
comply  100  percent  with  industry  stan¬ 
dards,  such  as  in  the  areas  of  security  and 
video  compression,  Gartner  recommends. 
Also  look  for  open  application  program¬ 
ming  interfaces  and  multiple  supported 
software  applications. 

Scalability:  Companies  with  large  instal¬ 
lations  will  want  the  equipment  to  be  com¬ 
patible  with  tools  that  locate,  update  and 
monitor  the  status  of  the  devices  and  their 
IP  addresses. 

Service/support:  Make  sure  the  vendor 


or  reseller  is  able  to  send  replacement  parts 
quickly  and  can  readily  offer  engineering 
support.  Many  network  camera  manufac¬ 
turers  sell  indirectly  through  channel  part¬ 
ners,  which  is  common  in  the  IT  industry 
but  not  in  the  security  industry.  This  takes 
some  getting  used  to  among  traditional 
security  personnel.  “The  manufacturer 
doesn’t  provide  the  hand-holding  of  compa¬ 
nies  like  Pelco  and  Bosch,”  Mclnturf  says. 

Dos  and  Don’ts 

DON’T  let  cost  be  your  guiding  light. 
According  to  Hunt,  most  people  buy  cam¬ 
eras  with  cost  as  their  highest  priority  and 
effectiveness  as  the  second,  which  results 
in  grainy,  out-of-focus  images.  There  are 
tools  available,  such  as  one  on  IQInvision’s 
website,  that  help  you  choose  the  resolu¬ 
tion  and  lens  that  fits  your  needs,  based 
on  factors  like  distance  and  camera  height. 
“People  don’t  do  that  calculation;  they  don’t 
even  know  how,”  he  says.  “They  assume  all 
cameras  are  equal  so  they  buy  the  cheapest 
one.”  Determine  what  you  need  to  accom¬ 
plish,  he  says,  whether  it’s  reading  a  license 
plate  number  or  simply  knowing  whether 
cars  are  moving  through  a  tunnel. 

DON’T  think  small  when  upgrading 
from  analog/VCR  systems.  When  the  VCRs 
at  the  Montgomery  County  school  dis¬ 
trict  began  breaking  down,  Hellmuth  first 
switched  to  digital  video  recorders  (DVRs). 
After  talking  with  a  consultant,  however,  he 
came  up  with  a  bigger  strategy:  centralizing 
all  its  security  systems,  including  alarms, 
access  control,  visitor  management  and 
surveillance,  on  one  platform.  As  it  turned 
out,  the  current  network  infrastructure 
could  support  such  a  system. 

Despite  the  lower  cost  of  the  DVR 
approach,  there  just  weren’t  a  lot  of  ben¬ 
efits,  Hellmuth  says.  Each  could  support 
only  1 6  cameras,  and  there  was  only  about 
two  weeks  of  storage  capacity.  The  school 
district  is  now  in  the  middle  of  a  six-year 
project  that  will  cost  $1.5  million  per  year. 
“When  we  decided  we  wanted  to  tie  all  the 
security  components  together,  we  were 
able  to  paint  a  better  picture  for  the  funding 
sources  on  why  we  needed  more  cameras 
and  better  quality  cameras.” 

DO  understand  the  trade-offs  to  high- 
quality  images.  Gompers  advises  people  to 
favor  a  crisper  image  over  smooth  motion. 

“Digital  quality  is  not  as  crisp,”  Mcln¬ 


turf  says,  but  it  meets  the  school’s  needs, 
and  for  now  he’s  choosing  not  to  upgrade 
to  megapixel  cameras  because  of  the  result¬ 
ing  bandwidth  and  storage  requirements. 
“It’s  a  balancing  act  between  the  storage 
required  and  the  detail  you  capture,”  he 
says.  “If  you’re  capturing  the  highest 
quality  of  video  using  megapixel  cameras 
and  you’ve  set  it  up  perfectly,  at  that  point, 
you’re  recording  a  lot  more  data  than  from 
an  analog  standpoint.” 

DO  consider  the  benefits  of  centralizing 
video  surveillance.  Before  N.C.  State  stan¬ 
dardized  on  a  single  IP  surveillance  system, 
each  department  had  invested  in  its  own 
equipment— some  analog,  some  IP.  As  a 
result,  it  was  difficult  to  locate  anyone  who 
knew  how  to  operate  the  system.  “If  it  was 
an  older  system,  the  tape  had  run  out  long 
ago  and  no  one  was  looking  after  it,  or  they 
didn’t  know  how  to  operate  the  software,” 
he  says.  Now,  campus  police  can  just  log  in 
themselves,  rather  than  working  with  each 
department  to  view  security  footage. 

DON’T  assume  everything  is  mix  and 
match.  While  many  network  cameras  claim 
compatibility  with  many  vendors’  video 
management  software,  “some  management 
software  is  more  open  than  others,”  Harris 
says.  For  instance,  Bastian  points  out,  the 
Verint  software  he  uses  performs  health 
monitoring  of  its  own  cameras,  even  alert¬ 
ing  users  to  the  temperature  of  cameras. 
However,  with  non-Verint  hardware,  the 
system  can  tell  you  when  a  camera  is  out, 
but  not  whether  it  was  due  to  heat. 

Mclnturf  has  also  run  into  compatibility 
issues.  While  he  appreciates  the  fact  that  he 
can  use  multiple  cameras  with  his  DVTel 
management  software,  each  camera  poses 
a  learning  curve  in  terms  of  how  it  relates 
to  the  software.  For  instance,  the  motion 
detection  settings  in  DVTel’s  software 
tended  to  conflict  with  those  settings  in  the 
Axis  cameras.  As  a  result,  the  cameras  were 
recording  24/7  and  filled  up  the  storage 
archive  in  a  week.  The  DVTel  software  also 
doesn’t  currently  support  megapixel  cam¬ 
eras,  he  says.  “The  message  is  that  the  IP 
industry  for  video  is  still  young  and  fairly 
proprietary,  and  everything  doesn’t  work 
with  everything  else,”  he  says.  ■ 


Mary  Brandel  is  a  freelance  writer  based  out¬ 
side  Boston.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 


12  www.csoonline.com  March  2008 


“I  am  fearless. 


Secure  Anytime 
Anywhere  Access 


Protect 

Customer  Identities 


Secure 

Enterprise  Data 


Manage  Compliance 
and  Security  Information 


©2007  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and/or  other  countries. 

All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


I  am  fearless.” 


I  drive  security  strategy  for  a 
global  500  company. 

I  provide  secure  access  to  business 
resources  anytime,  anywhere. 

I  believe  security  should  connect 
people,  not  isolate  them. 


Secure  anytime,  anywhere  access.  When  it  comes  to  security,  most  businesses  understand  what  it  means 
to  fail.  But  few  can  imagine  what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions 
can  move  your  business  forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of 
the  Fortune  500.  Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/glide  The  Security  Division  of  EMC 


RSA 


SECURITY  TRANSCENDS  TECHNOLOGY® 


Relax. 

You  just  hired  an  (ISC)2  infosecurity 
pro  who’s  not  only  going  to  make  your  day, 

but  your  career. 

It’s  easy  to  kick  back  when  you’ve  got  the  world’s  best  information  security  employees  at  your 
command.  (ISC)2  credentials  are  the  Gold  Standard  of  the  industry.  When  you  see  (ISC)2 
or  our  globally  recognized  certifications  on  a  resume,  you  know  that  you’re  getting  true 
professionals.  The  type  of  employees  who  continually  update  their  knowledge  to  keep  ahead  of 
new  threats  and  create  innovative  solutions  for  your  organization.  So  you  man  the  desk,  we’ll 
get  the  job  done. 

For  more  information  on  (ISC)2’s  credential  and  educational  offerings, 
please  visit  www.isc2.org/certify. 


CISSP 


CISSP 


My  response  to  CSOs  lamenting  the  existence  ofFacebook  is  to  ask  if 
they've  ever  been  on  it."  page  21 


TRENDS,  STATS  AND  FAST  FACTS 
Edited  by  Sarah  D.  Scalet 


COMPLIANCE 

California  Takes  Aim  at  Breaches 
Involving  Medical  Records 

New  law  aimed  at  reducing  instances  of  medical  identity  theft 
could  prompt  similar  legislation,  have  national  reach 


new  California  law  requiring  that 
customers  be  notified  of  a  breach 
involving  their  medical  information 
is  likely  to  influence  legislation  in 
other  states,  according  to  two  analysts  who 
follow  the  healthcare  industry.  However,  legal 
experts  remain  divided  on  whether  the  law 
applies  to  out-of-state  organizations  that  hold 
information  about  Californians. 

AB 1298  is  an  extension  of  the  financial 
data  breach  notification  law  SB  1386,  which 
has  been  partially  responsible  for  influenc¬ 
ing  nearly  40  other  states  to  adopt  similar 
legislation  and  which  is  widely  interpreted  as 
applying  to  non-California  entities  that  hold 
customer  records  about  California  residents. 
The  new  law  requires  all  state  agencies  and 


companies  that  conduct  business  in  California 
to  notify  residents  when  a  breach  of  their 
medical  information  occurs.  A  name  must  be 
associated  with  the  data,  but  Social  Security 
numbers  do  not  have  to  be  present.  The 
new  law  also  restricts  organizations  from 
disclosing  personal  health  information  without 
patient  consent. 

Robert  Booz,  a  vice  president  at  consul¬ 
tancy  Gartner,  anticipates  that  the  law  will 
expand  the  healthcare  industry’s  concern 
for  privacy  and  security,  as  well  as  influence 
other  states  to  adopt  legislation.  Consumer 
confidence  is  central  to  the  idea  of  electronic 
patient  health  records,  Booz  says,  citing  a 
November  2007  Wall  Street  Journal/Hams 
Interactive  poll  in  which  60  percent  of  respon¬ 


dents  said  that  the  privacy  risks  associated 
with  electronic  health  records  do  not  outweigh 
the  medical  benefits.  If  use  of  these  records 
is  to  proceed,  “consumers  must  be  confident 
their  information  will  not  be  compromised,” 
he  says. 

Still  unclear  is  the  law’s  impact  on  hospi¬ 
tals  and  insurers  in  states  other  than  California 
that  are  holding  patient  information  about  a 
California  resident.  Kate  Borten,  founder  and 
president  of  The  Marblehead  Group,  a  health 
information  security  consultancy,  has  heard 
mixed  opinions  involving  the  jurisdiction  of  the 
disclosure  laws  either  for  financial  information 
or  medical  information. 

“I’ve  heard  lawyers  say  that  a  company  in 
a  state  without  the  law  is  not  subject  to  the 
breach  notification  requirement  in  another 
state  because  each  state  is  a  sovereign  entity,” 
Borten  says.  “I  don’t  know  that  there  is  any 
case  law  yet  that  has  cleared  that  up.” 

That  confusion  is  one  reason  Booz  and 
Borten  both  say  a  federal  disclosure  law  is 
necessary.  Until  that  happens,  Booz  says,  the 
California  law  is  a  good  thing  that  will  spread 
soon  enough.  “Those  [states]  that  get  in  front 
of  the  issue  will  have  a  better  ability  to  create 
consumer  confidence.” 

The  law  aims  to  help  curb  a  growing 
problem:  medical  identity  theft.  A  2006  report 
from  the  California-based  World  Privacy 
Forum  found  that  a  quarter  of  a  million  people 
become  victims  of  medical  identity  theft  each 
year.  Gartner’s  projections  are  even  higher. 

The  consultancy  estimates  that  there  will  be 
more  than  1  million  cases  of  medical  identity 
theft  in  2008. 

Booz  says  the  exposure  of  medical 
information  can  have  serious  medical  con¬ 
sequences  as  well  as  financial  ones.  Because 
an  individual  fraudulently  using  a  medical 
identity  to  receive  services  could  change  por¬ 
tions  of  a  legitimate  medical  record,  the  real 
patient  could  receive  medical  care  based  on 
false  information. 

-Katherine  Walsh 


Illustration  by  Francis  Blake 


March  2008  www.csoonline.com  15 


THREAT  WATCH 

Backdoors 

What  you  don’t  know 
about  ways  into  your 
applications  can  hurt  you 

The  term  backdoor  is  a  misnomer.  This 
threat  is  more  like  a  hidden  passage. 
Backdoors  are  shortcut  entries  into  appli¬ 
cations  that  aren’t  readily  visible  to  users, 
programmers  or  even  the  vulnerability  scan¬ 
ners  that  try  to  keep  applications  watertight. 
Often,  these  backdoors  have  been  left  there  on 
purpose  by  programmers. 

For  whatever  reason  they’re  there, 
they’re  a  vulnerability.  “We  had  many  CSOs 
and  security  folks  asking  us  if  we  could  scan 
for  backdoors,”  says  Chris  Wysopal  of  the 
vendor  Veracode.  “We  didn’t  have  scans 
at  the  time.  So  I  just  started 
looking  around.  I  went  to 
papers,  mailing  lists,  just  looking 
for  anything  I  could  find.  It  turns 
out  there  was  very  little  real, 
academic  research  on  backdoors.” 

So  Wysopal  took  on  the  research. 

The  threat,  of  course,  is  that  if  the  back¬ 
door  becomes  public  knowledge,  then  bad 
actors  can  slip  into  the  application  unnoticed. 
And,  as  Wysopal  notes,  the  more  critical  the 
software  is,  and  the  higher  the  value  of  the 
target,  the  more  likely  it  is  that  the  develop¬ 
ment  process  could  be  compromised  by  an 


i  iiiei  n 

▲ 


insider— a  rogue  programmer  who  puts  a  back¬ 
door  in  without  anyone’s  knowledge.  Wysopal 
says  that  national  security  types  assume  that 
malicious  programmers  and  ones  who  are 
offered  bribes  are  part  of  any  software  devel¬ 
opment  for  state  and  nation-state  level  use. 
“The  question  of  why  wouldn’t  the  CIA  or  NSA 
do  this  was  almost  rhetorical,”  he  says. 

Wysopal’s  research  categorizes  three  types 
of  backdoors: 

1.  Crypto  backdoors.  Portals  that  are 
lightly  encrypted  and  easy  to  break  through; 
these  are  used  often  in  the  hacking  world. 

2.  System  backdoors.  The  rootkit  phe¬ 
nomenon:  using  a  vulnerability  to  establish 
ongoing  root  access  to  a  system. 

3.  Application  backdoors.  The  backdoors 
inserted  when  someone  subverts  the  develop¬ 
ment  process.  Types  include: 

a.  Special  credential  backdoor.  The  most 
common,  a  privileged  account  known 
only  to  those  who  designed  it 
and  to  those  with  whom  they 
share  it. 

b.  Malicious  backdoors.  Ones 
planted  by  programmers  who 
intend  to  do  harm  or  are  paid  by 
those  who  intend  to  do  harm. 

c.  Support  backdoors.  Those  left  intention¬ 
ally  for  support  staff  to  gain  easy  access  to  an 
application  fortroubleshooting. 

Wysopal’s  research  focused  mostly  on  the 
application  backdoors.  What  he  found  was  that 
backdoors  were  far  more  common  than  he 
expected,  which  means  it’s  time  for  compa- 


AGAINST 

BACKDOORS 


THINK  ABOUT: 

1.  Running  background 
checks  on  programmers  who 
work  on  software  that  will  be 
critical  or  involve  significant 
transactions-in  other  words, 
high-value  targets. 

2.  Scanning  applications  for 
the  most  common  and  easiest- 
to-find  backdoors,  under¬ 
standing  that  this  process 
won’t  detect  all  backdoors. 

3.  Asking  your  vendors  what 

they  do  to  prevent  backdoors 
from  getting  planted  in  their 
software.  -S.fi. 


nies  to  think  about  closing  them  up.  Also,  he 
discovered  that  closed-source  software  back¬ 
doors’  existence  was  measured  in  years,  while 
open-source  software  backdoors  seemed  to 
be  opened  and  closed  in  months.  “When  we 
looked  at  special  credential  backdoors,  the 
four  biggest  were  all  closed-source  products.” 

Unfortunately,  Wysopal  believes,  back¬ 
doors  could  devolve  into  a  cat-and-mouse 
game  of  detection  and  evasion,  not  unlike  any 
other  software  scourge  like  viruses  or  botnets 
or  spam.  In  the  meantime,  do  you  know  who 
developed  your  application?  Really? 

-Scott  Berinato 


16  www.csoonline.com  March  2008 


Photo  by  iStockPhoto.com 


BIGF 


Gartner  Endpoint  Protection  Magic  Quadrant,  12/27/2007 

In  2007,  Gartner  called  us  “visionary!  In  2008,  we  will  surely 
dominate,  because  we  offer  the  IT  industry s  only  converged  IT 
security  and  operations  platform  that  enables  real-time  visibility 
and  control  of  globally  distributed  desktop,  mobile  and  server 
computer  infrastructures.  Consider  this  fair  warning  to  LANDesk, 

McAfee,  Microsoft  and  Symantec.  We  fix  the  problems  you  cause. 

For  IT  professionals  who’ve  had  that  burning  hope  that  there  is 
something  better  out  there,  visit  www.bigfix.com/wemeanbusiness  or 
call  510-652-6700  xl  16.  Our  free  on-site  proof  of  concept  will 
1  prove  to  you  and  to  our  competition  that  ...we  really  mean  business. 


Technology  Innovation 

BIGFIX 

McAfee 

Microsoft 

Symantec 

Single  Intelligent  Endpoint  Agent 

✓ 

X 

X 

X 

X 

Single  Console 

✓ 

X 

X 

X 

X 

Manage  3rd  Party  Applications 

✓ 

X 

X 

X 

X 

1  Server  Manages  200K  Endpoints 

Absolutely 

No  way 

Not  close 

Someday** 

Never 

Endpoint  Verification  Speed 

Minutes 

Weeks 

Weeks 

Days 

Never 

All  Popular  Endpoint  OSs  Supported 

Of  course 

x 

X 

Never! 

X 

Global  Asset  Discovery 

✓ 

X 

X 

X 

X 

Off-network  Device  Same  as  Connected 

✓ 

X 

X 

X 

X 

Innovated  or  Acquired  Critical  Components 

Innovated 

Acquired 

Acquired 

Acquired 

Acquired 

•1  B  I  G  F  I  X 

We  mean  business 


©2007  BIGF1X.  BIGFIX  and  its  logo  are  registered  trademarks  of  BIGFIX,  Inc.  All  other  trademarks  are  sincerely  and  respectfully  acknowledged.  "Only  if  Microsoft  licenses  our  patents. 


TR8A 


>>  BRIEFING 


DEPARTMENT  OF  TOO  MUCH 
TIME  ON  THEIR  HANDS 


CLEAN-UP  IN  D.C. 


A  BREAKDOWN  OF  THE  OUTCOME 
OF  A  SECURITY  INVESTIGATION 
INTO  THE  MISUSE  OF  GOVERNMENT 
RESOURCES  IN  THE  NATION’S  CAPITOL 


9  Number  of  municipal  employees  fired  in 
Washington,  D.C.,  in  January  for  viewing  an 
“egregious”  number  of  pornographic  images-at 
least  20,000  each-during  the  previous  year 


Images  per  day  those 
employees  viewed, 
assuming  200  workdays  per  year 


Number  of  additional  employees 
J  1  who  have  been  reprimanded  or 
suspended  for  viewing  pornographic  content 


1  Chief  technology  officer  who 

brought  together  a  security  team  to 
investigate  the  initial  employee  complaint 
about  abuse  of  government  resources 


WM  .. ;  _  .i,  v  ,.y  Number  of  District 
^WV  PCs  that  had  content- 
filtering  systems  before  the  investigation 


AAA  Additional  copies 
of  filtering  software 
bought  and  installed  duringthe  investigation 

Source:  Computerworld  and  www.dc.gov 


BEST  PRACTICES 

5  Ways  to  Build  a 
Business  Case  for 
Business  Continuity 

Emphasize  ways  good  planning  can  give  your 
company  a  competitive  edge,  experts  say 

The  importance  of  business  continuity  planning  is  a  no-brainer-if 
you’re  a  security  leader  who  already  thinks  in  terms  of  security  and 
risk,  that  is.  But  convincing  business  executives  of  such  a  plan’s 
criticality  may  be  a  tougher  sell.  The  key,  experts  say,  is  to  make  its 
effects  tangible,  before  disaster  strikes.  “Far  too  often,  business  continu¬ 
ity  is  thought  of  as  an  expense,  overhead  or  something  we  have  to  do  to 
please  the  auditors,”  says  Jack  Smith,  first  vice  president  and  business 
continuity  manager  for  global  IT  at  ABN  Amro  in  Chicago.  “Look  at  it  as  a 
business  opportunity  and  a  competitive  advantage  instead.”  Of  course 
that’s  easier  said  than  done.  But  here  are  some  ways  to  get  started. 

1.  USE  REGULATORY  COMPLIANCE  TO  YOUR  ADVANTAGE.  Start 
by  educating  yourself  about  the  regulations  for  your  industry-both  ones 
that  are  in  existence  and  those  that  may  be  on  the  horizon.  In  certain 
industries,  regulations  will  define  your  business  continuity  strategy, 
which  can  be  an  asset  when  you’re  trying  to  get  buy-in  from  the  board 
of  directors  and  other  executives,  says  Jim  Grogan,  vice  president  of 
consulting  product  development  for  SunGard  Availability  Services,  a 
business  continuity  services  provider. 

2.  CREATE  A  PLAN  THAT  REFLECTS  YOUR  COMPANY’S  CULTURE. 
Step  outside  yourself  and  appreciate  that  business  continuity  means 
different  things  to  different  people,  Smith  advises.  The  type  of  plan  you 
design  and  how  you  sell  it  will  be  influenced  by  your  company’s  culture 
and  organizational  structure.  “Take  a  look  at  the  various  departments 
that  make  up  the  business,”  Smith  says.  “What  are  their  priorities?  What 
business  functions  are  the  most  important?” 

3.  ENCOURAGE  GRASS-ROOTS  SUPPORT  BY  MEETING  INDIVID¬ 
UALLY  WITH  DIFFERENT  BUSINESS  UNITS.  A  good  business  COntinu 
ity  plan  is  one  that  creates  alignment  among  security,  IT,  and  corporate 
strategies  and  policies.  Do  the  groundwork  by  meeting  with  the  people 
in  individual  business  units,  Grogan  says.  “If  the  business  isn’t  communi¬ 
cating  with  IT,  then  the  business  continuity  strategy  will  miss  the  mark.” 
More  important,  if  you  don’t  have  executives  who  believe  the  program 
has  value,  you  will  probably  never  get  funding  for  your  plan. 

4.  STAY  FLEXIBLE.  Business  continuity  plans  are  not  one-size-fits- 
all,  and  asking  for  support  for  your  program  doesn’t  mean  you’re  asking 
the  business  to  treat  every  piece  of  infrastructure  the  same  way.  “Just 
because  you  need  failover  capability  for  one  application  doesn’t  mean 
you  need  that  same  capability  for  all  files  and  systems,”  Grogan  says. 
Having  a  flexible  system  is  also  important  as  threats  change. 

5.  FIND  WAYS  THAT  BUSINESS  CONTINUITY  ADDS  TO  THE 
BOTTOM  LINE.  Try  to  show  how  having  a  strong  plan  in  place  protects 
the  bottom  line.  “When  [the]  LaSalle  [Bank  Building]  had  a  major  fire  in 
2004,  they  continued  to  process,”  Smith  says,  speaking  of  a  subsidiary  of 
ABN  Amro.  “No  critical  functions  were  interrupted,  despite  it  being  one 
of  the  largest  fires  in  the  history  of  Chicago.”  Being  known  as  a  resilient 
company  brought  in  new  business,  he  says.  “Staying  up  when  others  may 
be  down  is  good  business-not  to  mention  good  public  relations.” 

-Katherine  Walsh 


18  www.c50online.com  March  2008 


Illustration  by  Francis  Blake 


security 

sionals  — 


What  can 


do  for  you? 


Strengthen  your 
personal  network 


Enhance  your  skills 
and  knowledge. 


•  Develop  your  leadership 
abilities  and  earn 
credentials. 


Unlock  Doors  to  new 

career  and  business 
opportunities. 


•  Stay  on  Top  of  current 
events  and  emerging  trends 


Unleash 
the  Power  of 

Collaboration 


INTERNATIONAL 


Advancing  Security  Worldwide 


Visit  www.asisonline.ori 
call  703-519-6200  for  dot 
or  to  join  ASIS  toe 


>>  BRIEFING 


DUE  DILIGENCE 

Moody’s  Wants  to  Rate  Security,  Not  Just  Securities 


New  service  aims  to  create  the 
CSO’s  equivalent  of  Aaa  to  C 
ratings-butwill  it  take  off? 

As  a  consultant  for  ©stake  and  then 
for  Symantec,  Ed  Leppert  spent  a  lot 
of  time  doing  third-party  security 
assessments  for  his  financial-services 
clients— slogging  through  questionnaires  and 
SAS  70  reports,  trying  to  determine  how  effec¬ 
tively  a  given  service  provider  was  handling  its 
own  security.  While  the  research  was  impor¬ 
tant,  sometimes  it  seemed  inefficient.  “We 
said,  it  doesn’t  make  sense  to  do  these  things 
individually.”  Leppert  says.  “All  the  companies 
want  [to  know]  basically  the  same  things.” 

Now,  as  part  of  a  startup  within  Moody’s, 
a  credit  rating  company,  Leppert  is  trying 
to  bring  the  same  clarity  and  efficiency  to 
security  assessments  that  investors  have 
when  evaluating  credit  risks.  The  goal  is  to 
create  the  security  world’s  version  of  the  Aaa 
to  C  ratings  that  Moody’s  devised  long  ago  for 


financial  securities  and  bonds. 

Of  course,  it’s  more  complicated  than 
that.  For  starters,  the  ratings  aren’t  made 
public-the  rated  company  has  to  authorize  a 
potential  customer  to  access  the  information. 
And  the  ratings  are  1  through  5,  not  A  through 
C.  “The  people  creating  it  are  techie  guys,  not 
good  marketing  guys,”  quips  Leppert,  who  is 
VP  of  Moody’s  Risk  Services. 

Service  providers  who  sign  up  are  analyzed 
and  rated  in  each  of  11  categories-including 
access  control,  business  continuity  and  data 
security-and  get  an  overall  assessment  as 
well,  with  1  being  the  best.  The  business  model 
is  still  in  flux,  but  currently,  rated  companies 
pay  about  $23,000  for  the  first  year,  and  sub¬ 
scribers  pay  less  than  $1,500  per  report,  after 
receiving  two  reports  for  free.  Some  vendors 
have  signed  up  after  being  asked  to  do  so  by 
one  of  several  large,  financial-services  compa¬ 
nies  that  served  as  an  advisory  council  during 
the  service’s  development. 

The  idea  for  such  an  at-a-glance  rating  is 


appealing  to  risk  executives  such  as  Andre 
Gold,  head  of  security  and  risk  management 
for  ING’s  U.S.  Financial  Services  business,  who 
is  evaluating  the  Moody’s  service  along  with 
a  similar  Product  Certification  Program  from 
BITS,  a  nonprofit  financial-services  consortium 
operated  by  the  Financial  Services  Roundtable. 
Last  year,  Gold  oversaw  reviews  of  176  new 
technology  vendors;  his  team  visited  sites  as 
far  away  as  South  Africa  to  conduct  security 
assessments.  “It’s  a  service  that  we  must  do, 
but  l  think  it’s  a  nonvalue-add  service,”  he  says. 
Although  Gold  is  eager  for  a  service  that  would 
allow  him  to  streamline  that  process,  the  ques¬ 
tion  for  him-as  well  as  for  Leppert— is  whether 
Moody’s  can  persuade  enough  companies  to 
sign  up  to  make  a  subscription  worthwhile. 

As  of  early  February,  Moody’s  had  com¬ 
pleted  only  a  few  ratings,  with  20  to  25  more  in 
the  contract  process.  “The  subscriber  base  is 
going  to  be  the  issue  with  something  like  this 
really  taking  off,”  Gold  says.  “I’m  an  optimistic 
observer.”  -Sarah  D.  Scalet 


LOSS  PREVENTION 


Despite  growing  concerns  about 
organized  retail  crime,  a  new  study  says 
employee  theft  is  still  far  more  common 

Source:  An  online  survey  of  96  retailers 
done  by  Retail  Systems  Research 


Employee  theft 
of  merchandise 
in  stores 


Paper  shrink 
(missed 
markdowns) 


Customers 

stealing 

merchandise 


Employee  theft 
of  cash 


Organized  crime 
rings 


fraudulent 

returns 


20  www.csoonline.com  March  2008 


Photo  by  iStockPhoto.com 


Howard  Schmidt  (left)  and  Bill  Boni  both 
say  that  participating  in  Linkedln  and 
Facebook  helps  them  be  effective  security 
leaders,  as  long  as  they  are  wary  of  sharing  too 
much  information. 


CAREER 

How  to  Social 
Network  Safely 

The  business  advantages 
are  starting  to  outweigh  the 
security  risks,  say  two  CSOs 

Howard  Schmidt  was  reluctant  to  hop  on 
the  social  networking  bandwagon-a 
byproduct,  he  says,  of  the  paranoia  he 
internalizes  as  a  security  professional. 
Eventually,  though,  Schmidt-the  one-time 
cyber  adviser  to  President  Bush  and  itinerant 
CISO  turned  consultant-decided  the  positives 
outweighed  the  negatives.  He  joined  not  just 
one  social  network  but  three:  Facebook, 
Linkedln  and  MySpace. 

“My  response  to  those  in  the  security  busi¬ 
ness  lamenting  the  existence  of  Facebook  and 
MySpace  is  to  ask  them  if  they’ve  ever  been  on 
it,"  says  Schmidt. 

Bill  Boni,  too,  took  the  social  networking 
leap-with  gusto.  The  longtime  corporate  vice 
president  of  information  security  and  protec¬ 
tion  at  Motorola  has  now  racked  up  more  than 
500  connections  on  Linkedln.  He  says  the  site 
allows  him  to  keep  in  touch  with  people  and 
gives  him  an  opportunity  to  tap  into  “addi¬ 
tional  sources  of  expertise." 

Despite  the  well-publicized  security  and 
privacy  risks  of  social  networking,  both  Boni 
and  Schmidt  say  it’s  possible  to  reap  the  ben¬ 
efits  of  social  networking  and  stay  safe  at  the 
same  time.  Here’s  their  advice. 


1.  DO  your  homework.  Before  you  join, 
talk  to  people  you  know  and  trust  about  their 
experiences  with  social  networking.  Different 
people  have  different  comfort  levels,  which 
may  dictate  which  site  (or  sites)  you  decide  to 
join.  For  instance,  Linkedln  contains  mostly 
fields  for  resume-type  information,  while 
Facebook  also  asks  about  your  politics,  reli¬ 
gion,  and  favorite  books  and  movies  (not  that 
you  have  to  answer).  After  reviewing  each  site, 
ask  yourself  which  you  would  benefit  from 
most,  what  types  of  features  you  want  and 
what  type  of  information  you  are  comfor¬ 
table  sharing. 


2.  Secure  your  settings.  The  benefit  of 
social  networking  is  directly  related  to  the 
openness  of  it,  Schmidt  says,  so  privacy  and 
security  can  be  tricky.  But  each  site  has  a 
variety  of  options,  and  you  can  decide  how 
much  or  little  you  want,  or  you  can  lock 
down  your  information.  Profiles  on 
any  of  the  sites  can  be  set  as  public 
or  private,  with  a  private  profile 
being  accessible  only  to  those  you 
are  connected  to  or  “friends”  with. 

You  can  also  control  various  aspects 
of  your  profile  on  each  site.  Facebook, 
for  instance,  allows  you  to  control  who 

can  contact  you,  who  can  find  you  in  a  search 
and  what  information  they  will  find.  You  can 
also  set  up  a  limited  profile  for  when  you 
want  to  connect  with  someone  but  not  share 
everything. 

3.  Be  careful  whom  you  link  to.  The 


implicit  risk  in  a  sharing  site  is  that  it’s  open 
to  anyone  who  follows  the  terms  of  use,  says 
Boni.  “That  means  [in  addition  to  all  the  good 
people],”  he  says,  “there  could  be  members 
of  organized  crime,  criminal  undergrounds  or 
people  with  malicious  intent  lurking  on  there.” 
That’s  why  it’s  crucial  to  control  whom  you 
allow  into  your  network.  If  you  receive  a  link 
request  from  someone  claiming  to  know  you 
through  another  connection  or  “friend,”  check 
with  that  connection  to  make  sure  the  request 
is  legitimate.  Don’t  accept  someone  who  you 
don’t  know  or  haven’t  checked  out. 


4.  Avoid  the  TMI  trap.  As  pro-social 
networking  as  Boni  and  Schmidt  are,  both  say 
that  you  are  your  own  worst  enemy  online,  and 
the  risk  is  always  there  that  you  will  disclose 
too  much  information.  “People  need  to  be 
skeptical  and  cautious  when  leveraging  these 
networks,”  Boni  says.  “There  are  lots  of  things 
people  shouldn’t  tell  others,  but  they  do 
anyway.”  And  that,  he  says,  can  lead  to  social 
engineering  and  elicitation-when  someone 
uses  what  they  know  about  you  to  try  to  learn 
something  about  you  or  your  company  that’s 
better  not  disclosed. 

That’s  why  Boni  says  he  won’t  disclose  any¬ 
thing  of  real  concern  to  him.  “It’s  my  responsi¬ 
bility  to  exercise  reasonable  judgment  when  I 
decide  what  information  I  want  to  disclose,”  he 
says.  Boni  sees  his  account  on  Linkedln  strictly 
as  a  way  to  help  him  do  his  job  bet- 
ter-and  as  a  result,  he  provides 
only  information  related  to  his 
C*  C*  -  professional  self. 

Schmidt,  on  the  other  hand, 

rItQW 


sees  advantages  in  blurringthe 
personal  and  professional  lines. 
Because  of  MySpace,  he  realized 
that  one  of  his  CEO  colleagues  was 
an  avid  fisherman,  as  is  he.  Another  friend 
turned  out  to  be  an  amateur  photographer-so 
is  Schmidt.  “It  helps  you  build  trust  and  a 
better  understanding  of  who  they  are,  which 
enhances  your  business  relationship,”  he  says. 
And  that’s  the  whole  idea. 

-Katherine  Walsh 


Photo  left  bv  Jay  Blakesberg,  right  by  Bob  Stefko 


March  2008  www.csoonline.com  21 


COVER  STORY 


Search  Engine 
Optimization  is  the 

trick  to  winning  online 
revenue.  What  happens 
when  hackers  start 
going  after  the  prize? 
Step  right  up  and  see! 
(Part  one  of  two) 

By  Scott  Berinato 


DAVID  NAYLOR  HAS  BEEN  a  search  engine  optimizer 
(SEO)  for  a  decade,  as  long  as  anyone,  really.  About  a  year  ago 
he  received  an  unexpected  phone  call.  “Apparently,  you’re  one 
of  the  best  black-hat  SEOs  in  the  world,”  a  stranger  said.  Nay¬ 
lor  laughed  modestly,  but  it  was  true.  Naylor’s  business  was  to 
game  search  engines  using  aggressive,  some  would  say  dubi¬ 
ous,  tactics  in  order  to  goose  websites’  rankings  and  thereby 
increase  traffic  to  the  sites.  And  he  was  extremely  good  at  it. 

Apparently,  the  caller  was  one  of  the  best  black-hat  hackers 
in  the  world.  He  told  Naylor  that  he  was  interested  in  the  search 
engine  optimization  (also  abbreviated  SEO)  business,  and  the 
related  search  marketing  business,  which  can  be  thought  of  as 
applied  SEO,  using  it  to  drive  traffic  to  a  site  where  one  sells 
ads  and  products. 

Specifically,  the  hacker  was  interested  in  the  money.  The 
income  is  precariously  unstable,  but  $10,000  months  aren’t 
uncommon  for  SEOs  and  search  marketers.  Six- figure  months 
aren’t  unheard  of,  either. 

The  hacker  also  seemed  deeply  intrigued  by  the  culture  of 
openness,  even  pride,  that  inhabits  the  SEO  community.  Hack¬ 
ers  are  recruited  by  crime  syndicates  and  labor  to  mask  their 
identities;  SEOs  are  hired  by  Fortune  500  companies  and  blog 
about  the  size  of  their  checks  from  Google.  The  caller  seemed 
interested  in  that  kind  of  freedom. 

So  Naylor  invited  the  hacker  to  meet  him  and  30  or  so  more 
SEOs  at  one  of  their  informal  conclaves.  The  next  one  was  in 
Manchester,  England  (Naylor’s  from  Yorkshire).  They  met  up 
and  slipped  into  a  dim  booth  with  full  pints. 

They  talked  for  two  hours.  What  Naylor  remembers  most 
from  the  conversation  is  this:  “I  said,  ‘I  don’t  know  how  you 
guys  monetize  without  getting  caught.’  And  he  said  to  me, 
‘That’s  why  I  came  to  you.  You  know  how  to  monetize.  I  know 
how  to  not  get  caught.’” 


22 


www.csoonline.com 


March  2008 


Illustration  by  Peter  Horvath 


M0 


mi 


COVER  STORY 


Naylor  had  already  been  thinking  about 

that.  He  had  seen  what  could  hap¬ 
pen— what  has  now  started  to  hap¬ 
pen— to  SEO.  The  hacker’s  interest 
in  SEO  would  be  reciprocated,  and 
the  worlds  would  cross  over.  Naylor 
himself  was  cautiously  curious  about 
hacking  tools  that  could  cut  down  on 
the  considerable  grunt  work  SEO  requires.  What’s  more,  at  that 
time,  SEOs  had  noticed  that  search  companies  were  cracking 
down  on  black-hat  SEO  tactics.  Hacking  tools  could  help  sidestep 
that  problem,  too.  “In  some  ways,”  Naylor  says,  “it  would  have 
been  easier  to  say,  ‘Yeah,  let’s  secretly  break  into  servers,  lever¬ 
age  cross-site  scripting  vulnerabilities  to  improve  our  rankings’” 
rather  than  do  SEO  the  traditional  way. 

But  Naylor  didn’t  have  an  appetite  for  hacking.  SEOs  may  have 
a  less-defined  code  of  business  ethics  than  most,  but  it’s  a  code 
nonetheless.  They  like  to  say  that  hackers  break  the  law,  while 
they  merely  break  a  search  company’s  terms  of  service.  “When  I 
get  caught,  which  I  do,  I  get  kicked  off  a  search  engine  for  a  while,” 
Naylor  says.  “When  hackers  get  caught,  they  go  to  prison.” 

But  now  Naylor  was  thinking  that  distinction  would  fade. 
Eventually,  SEO  would  become  big  business  for  bad  guys,  like 
spam  and  identity  theft.  It  has  already  started.  A1  Gore’s  ecology 
blog  was  hacked  late  last  year,  but  not  for  political  reasons.  It  was 
hacked  so  that  some  guy  marketing  Xanax  and  Viagra  could  plant 
links  to  boost  his  search  rankings. 

Security  researcher  Jeremiah  Grossman  calls  the  phenom¬ 
enon  SEOwN3d!!i— merging  SEO  with  hackers’  leetspeak  slang 
for  “hacked.”  It’s  a  powerful  merging  of  cultures  and  interests  that 
has  the  ability  to  change  the  nature  and  value  of  search  engines 
themselves. 

Naylor  opted  out,  retired  from  the  black-hat  SEO  business. 
He  didn’t  want  any  part  of  whatever  it  was  becoming.  “I  never  felt 
comfortable  in  that  world,”  he  says  of  hacking.  “You  look  down 
the  road  and  just  see  it’s  not  something  you  can  build  a  business 
on,  a  life  on.  All  the  things  we  used  to  do,  it  just  seems  easier  to 
hire  a  hacker  now.  It’s  a  little  bit  sad  in  a  way.” 

AUGURS  OF  SEARCH 

CURRENTLY,  THE  BEST  way  to  find  approximately  what 
you  need  on  the  Internet  is  to  submit  an  idea  to  a  search  engine 
and  in  return  receive  a  list  of  links  to  sites  related,  somehow,  to 
your  idea. 

Really,  the  only  links  that  matter  are  the  first  five  or  so,  because 
few  people  bother  to  scroll  past  what  they  first  see;  almost  no  one 
clicks  to  the  second  page  of  results  or  beyond.  Website  owners 
know  this  and  therefore  compete  for  the  top  spots.  If  a  site  does 
not  rank  highly,  it  is  in  some  sense  virtually  nonexistent. 

To  determine  who  earns  this  prime  real  estate,  search  engine 
companies  send  small  software  programs  called  spiders  (or  crawl¬ 
ers  or  robots)  to  scuttle  around  the  Internet  and  collect  informa¬ 
tion  about  websites— their  location,  what  words  are  on  the  page, 
what  links  lead  to  and  leave  from  the  site,  and  more.  The  spiders 
dump  that  information  into  mighty  algorithms  that  reckon  the 


sites’  relevance  and  credibility.  These  algorithms  are  proprietary 
and  somewhat  mysterious;  no  one  outside  of  the  search  compa¬ 
nies  knows  precisely  how  they  work.  Some  argue  that  even  the 
search  companies  don’t  know  exactly  how  they  work  anymore, 
because  the  algorithms  are  constantly  changed  and  have  become 
colossally  complex. 

Still,  clever  types  who’ve  studied  how  the  search  engines 
behave  can  approximate  what  pleases  the  algorithms  and  then 
alter  a  site  in  ways  that  improve  the  site’s  ranking.  Some  altera¬ 
tions  are  as  simple  as  adding  verbiage  to  match  the  kinds  of  words 
people  type  into  search  engines.  Change  the  phrase  “cell  phone 
rings”  on  your  page  to  “ring  tones,”  for  example,  and  your  traffic 
goes  up,  because  while  virtually  no  one  searches  on  the  former 
term,  many  type  in  the  latter.  Other  techniques  are  complicated 
linking  schemes  that  involve  getting  other  sites  to  link  back  to 
your  own  site. 

The  hundreds  of  techniques  like  these,  that  used  to  boost  a 
site’s  ranking,  comprise  SEO. 

In  ancient  Rome,  prior  to  important  events,  a  college  of  priests 
called  augurs  would  “take  the  auspices,”  meaning  they  would 
study  the  flight  patterns  of  birds  to  understand  the  will  of  the 
gods.  SEO  is  not  so  different  from  that. 

In  the  hands  of  a  good  SEO,  optimization  works  outrageously 
well.  Naylor  likens  it  to  turning  on  a  tap.  He  remembers  a  mat¬ 
tress  company  in  England  that  hired  him  to  get  the  top  ranking 
for  searches  about  beds.  Naylor  knew  the  company  wouldn’t 
be  able  to  handle  the  bump  in  traffic  he  would  provide,  but  the 
owner  sloughed  off  his  concerns.  So  Naylor  delivered  the  num¬ 
ber-one  ranking,  and  about  25,000  new  visitors  per  day.  The  com¬ 
pany’s  15  trucks  and  meager  customer  service  collapsed  under 
the  demand. 

SEO  is  flourishing  also  because  many  companies  shifted  reve¬ 
nue  strategies  to  their  websites  without  understanding  that  web¬ 
sites  that  don’t  get  noticed  by  search  engines  don’t  get  noticed. 
They  underestimated  search’s  dominion  over  their  success,  a 
grievous  miscalculation.  In  order  to  reach  their  often  aggres¬ 
sive  revenue  goals,  companies  found  themselves  in  the  awkward 
position  of  having  to  worship  search  algorithms  that  they  neither 
understood  nor  controlled. 

Desperate,  they  turned  to  SEOs  and  paid  immoderate  for¬ 
tunes  for  their  help.  One  SEO,  Eric  Ward,  charges  $1,000  for  two 
one -hour  phone  conversations  and  a  written  report  that  details 
what  your  site  needs  to  do  to  get  juice— SEO  slang  for  any  tac¬ 
tic  that  boosts  page  rankings.  Jeremy  Schoemaker,  known  in  the 
search  marketing  world  as  Shoemoney,  hosts  the  Elite  Retreat,  an 
invitation-only  weekend  of  SEO  and  marketing  consulting.  Neil 
Patel  was  making  six  figures  as  an  SEO  consultant  by  the  time  he 
enrolled  in  college,  and  he  says  his  company,  Advanced  Consult¬ 
ing  Services,  cleared  $1  million  in  revenue  last  year.  His  clients 
include  HP  and  Samsung.  “If  I  wanted  to,”  Patel  says  with  typical 
bravado,  “I  could  go  give  a  car  dealership  an  hour  of  SEO  advice 
in  exchange  for  a  free,  leased  car.” 

A  whole  community  of  upstart  entrepreneurs  has  emerged. 
Guys  like  Michael  Gray,  QuadsZilla,  Naylor,  Ward,  Patel,  Shoe- 
money  and  Aaron  Wall,  among  others.  They  are  the  augurs, 
priests  interpreting  the  will  of  the  search  engines,  and  they’re 


24  www.csoonline.com  March  2008 


cashing  in.  On  his  blog,  Shoemoney  posted  a  photo  of  himself, 
with  one  of  his  SEO  checks  splayed  across  his  face,  leaving  only 
two  things  to  see— his  eyes  and  the  check’s  sum:  $132,994.97. 

Patel,  meanwhile,  has  been  quoted  in  the  Wall  Street  Journal 
and  is  also  a  regular  conference  speaker.  Last  year  at  Blog  World 
Expo,  after  he  gave  a  presentation  on  SEO  and  search  marketing, 
someone  said  to  him,  “I  can’t  believe  you  can  look  at  yourself  in 
the  mirror  in  the  morning.” 

THE  GRAY  BUSINESS 
OF  GAMING  THE 
SYSTEM 

IT  TURNS  OUT  that  in  ancient  Rome,  those  augurs’  divinations 
weren’t  always  divine.  The  will  of  the  gods  sometimes  depended 
on  earthly  influences  like  political  favors  and  bribery. 

SEO  is  not  so  different  from  this,  either.  Pay  the  right  price, 
and  SEOs  can  game  the  system  for  you  by  telling  the  algorithms 
little  digital  fibs,  or  sometimes  deceiving  them  outright.  This  is 
black-hat  SEO,  which  is  a  misnomer.  In  general,  these  practices 
aren’t  illegal,  just  dishonest,  as  Naylor  notes  when  distinguishing 
between  black-hat  hacking  and  black-hat  SEO.  (Some  SEOs  do 
call  this  gray-hat  SEO;  the  nomenclature  is  muddied.) 

Black-hat  SEO  is  based  on  a  simple  fact:  No  matter  how  clever 
one  makes  an  algorithm,  it’s  still  just  a  narrow  set  of  rules.  Like  all 
binary  machines,  it  struggles  to  intuit  even  basic  human  intent. 
Software  struggles  to  detect  duplicity.  In  a  way,  the  algorithms 
are  like  robotic  consumers,  who  are  incapable  of  being  skeptical 
about  aggressive,  deceptive  marketing  practices. 

Black-hat  SEO  techniques  include  link  bait— fabricating  a 
salacious  news  story  (“Britney  Spears  Dead!”)  that  spurs  pruri¬ 
ent  curiosity  traffic.  It’s  clearly  a  ruse  to  generate  clickthroughs, 
but  the  algorithms  see  a  popular  link  that  deserves  juice.  Also 
there’s  blogspam:  links  planted  in  the  comments  fields  of  blogs 
despite  the  fact  they  have  nothing  to  do  with  the  blog’s  content  or 


terms  of  service,  you  can  get  serious  juice  unavailable  to  someone 
who  plays  by  the  rules.  The  bartender  who  skims  the  till  always 
makes  more  than  the  one  who  doesn’t.  (Unless,  of  course,  he 
gets  caught.) 

Many  SEOs  are  willing  to  bend  the  rules.  It’s  not  uncommon 
for  an  SEO  consulting  to  major  companies  to  use  grayer  SEO 
for  his  own  business.  “I’ve  never  met  a  so-called  white-hat  SEO 
that  didn’t  have  some  black-hat  tricks,”  says  Schoemaker.  “The 
same  SEO  that  has  large  companies  as  clients  probably  also  has 
a  Viagra  business.” 

Schoemaker  was  not  talking  about  Neil  Patel,  but  he  could 
have  been.  In  addition  to  owning  ACS,  Patel  runs  his  own  SEO 
and  search  marketing  programs  focused  on  gambling  and  debt 
consolidation  websites.  (Search  marketing  tends  to  thrive  in  what 
Schoemaker  calls  “scammy”  industries.  The  big  three  are  referred 
to  as  PPC— pom,  pills  and  casinos.  He  also  lists  ring  tones  and 
mortgage  services.) 

Patel  makes  “much  more”  money  from  this  other  business, 
though  he  won’t  say  how  much.  Jeremiah  Grossman  is  quite  cer¬ 
tain  a  good  black-hat  SEO  can  clear  seven  figures  in  a  year. 

SEOs  and  search  marketers  use  the  higher-risk  tactics  mostly 
for  themselves,  but  companies  partake  in  it,  too,  according 
to  every  SEO  interviewed  for  this  story.  Typically,  once  a 
company  leams  about  SEO,  the  catch-22  becomes  clear.  Use  it  and 
you  can  reach  those  aggressive  online  revenue  goals,  but  you’re 
toeing  the  ethical  line.  Don’t  use  it  and  claim  the  moral  high 
ground,  as  your  competitors  who  do  use  it  game  you  out  of  the 
top  search  results. 

Naylor  says  that  when  he  was  a  black-hat  SEO,  “a  lot  of  corpo¬ 
rate  sites  didn’t  want  white-hat  SEO.  They  wanted  gray-hat  SEO. 
They’d  dip  the  toes  a  little  bit  deeper.”  A  few  companies  have  been 
caught  using  black-hat  SEO  tactics  and  were  temporarily  banned 
from  Google.  Cloaking  got  BMW’s  and  Ricoh’s  sites  in  Germany 
temporarily  banned  from  Google,  and  many  SEOs  accused  the 
New  York  Times  of  cloaking  by  making  the  algorithms  see  sub¬ 
scriber-only  content  that  the  rest  of  the  world  had  to  pay  to  see. 
(The  Times  has  since  abandoned  its  subscription  model  online.) 


“I  could  go  give  a  car  dealership  an  hour  of  SEO  advice  in  exchange  for 
a  free,  leased  car.”  -Neil  Patel,  Advanced  Consulting  Services 


the  present  conversation.  The  algorithms  once  counted  up  those 
links  and  gave  juice  to  the  site  they  linked  to.  Automation  of  this 
process  allowed  an  SEO  to  plant  thousands  of  links  a  day  and 
vault  to  the  top  of  the  search  rankings. 

Another  favorite  technique  of  black-hat  SEOs  is  cloaking- 
making  the  search  spiders  see  content  that  the  public  can’t  see, 
thus  tricking  the  algorithm  into  giving  too  much  juice.  Cloaking  is 
like  saying  one  million  people  read  this  story  because  that’s  how 
many  people  were  in  the  stores  that  sold  the  magazine  that  the 
story  appeared  in. 

Black-hat  SEO  is  even  more  wildly  effective  than  the  more 
legitimate  forms  of  SEO  because  it  is  not  restrained  by  truthful¬ 
ness.  If  you’re  willing  to  bend  or  break  the  search  companies’ 


Some  companies  even  use  reverse-black-hat  SEO— getting  com¬ 
petitors’  rankings  to  drop  rather  than  their  own  to  increase.  Pull 
the  mountain  down  rather  than  scale  it,  a  request  Naylor  says  he’s 
refused  many  times.  “That’s  become  almost  as  big  a  business”  as 
SEO,  says  Dave  Dellanave,  Schoemaker’s  partner. 

Patel  insists  repeatedly  that  the  work  he  does  for  ACS  clients 
is  completely  aboveboard.  “I  keep  those  worlds  totally  sepa¬ 
rate.  A  major  company  doesn’t  need  the  other  tactics.  They’re 
linked  to  [by  other  sites]  naturally.  You  don’t  have  to  build  links 
for  them.” 

But  for  his  black-hat  SEO  work,  the  rules  are  different.  For 
example,  according  to  search  engine  terms  of  service,  one  is  sup¬ 
posed  to  disclose  when  links  are  paid  for.  Paid  links  give  less  juice 


March  2008  www.csoonline.com  25 


AN  SEO  GLOSSARY:  PART  I 


Algorithm:  In  the  case  of  search,  a  set 
of  rules  that  determines  how  a  search 
engine  indexes  content  and  displays 
the  results  to  its  users. 

Bait  and  switch:  SEO  technique  that 
creates  an  optimized  page  that’s 
submitted  to  the  search  algorithms 
but  replaces  that  with  the  regular, 
less-optimized  page  as  soon  as  the 
optimized  page  has  been  indexed. 
Black-hat  SEO:  SEO  techniques 
that  violate  either  the  spirit  or  the 
letter  of  the  terms  of  service  of 
search  companies.  Any  technique 
that  increases  a  site’s  search  ranking 
without  actually  increasing  the  site’s 
value  to  the  user  of  the  site.  Also 
referred  to  as  gray-hat  SEO  and  high- 
risk  SEO. 

Clickthrough  rate:  The  rate  at  which 
people  click  on  a  link  such  as  a  search 
engine  listing  or  a  banner  ad.  Studies 
show  that  clickthrough  rates  are  six 
times  higher  for  search  engine  listings 


than  for  banner  ads,  making  search 
results  more  valuable  than  banner 
ads  for  driving  traffic. 

Doorway  page:  Page  full  of  keyword- 
rich  copy  that  doesn’t  deliver  any 
useful  information  other  than  the  link 
into  a  site.  The  sole  purpose  is  to  feed 
the  search  algorithms  keywords  and 
links  for  increasing  rankings.  Also 
known  as  a  bridge  page  or  a  gate¬ 
way  page. 

Exact  match:  A  form  of  keyword 
matching  where  the  search  query 
must  be  exactly  the  same  as  the 
advertisement  keyword.  Thus,  “ring 
tones”  matches  only  ads  or  search 
listings  that  use  that  precise  phrase. 
Fresh:  The  term  that  Google  uses 
to  refer  to  frequently  changing 
webpages.  The  fresher  a  page,  the 
more  Google’s  spider  (Googlebot)  will 
visit  and  index  the  page. 

Gray-hat  SEO:  SEO  using  both  black- 
hat  and  white-hat  techniques;  since 


there’s  no  definitive  line  between 
acceptable  and  unacceptable  SEO, 
some  consider  ail  SEO  gray  hat.  Also 
used  interchangeably  with  black-hat 
SEO. 

Index:  A  search  engine’s  database  in 
which  it  stores  textual  content  from 
every  webpage  that  its  spider  visits. 
Keyword:  A  word  a  search  engine 
spider  user  might  use  to  find  relevant 
webpages.  If  a  keyword  doesn’t 
appear  anywhere  on  your  webpage, 
it’s  unlikely  your  page  will  appear  in 
the  search  results  for  searches  that 
use  that  keyword. 

Key  phrase:  A  search  phrase  made 
up  of  keywords. 

Link  building:  Requesting  links 
from  webmasters  of  other  sites 
for  the  purpose  of  increasing  your 
link  popularity  and  PageRank;  also 
creating  compelling  content,  which 
naturally  encourages  others  to  link  to 
your  site.  Link  building  is  one  of  the 


than  “organic”  links— ones  that  exist  because  someone  decided 
that  there’s  something  valuable  behind  them.  It’s  the  difference 
between  a  deejay  playing  a  song  because  he  likes  it  and  playing  a 
song  because  the  record  company  paid  him  to.  Patel,  though,  like 
many  black-hat  SEOs,  will  conceal  the  fact  he’s  bought  links.  At 
Blog  World  Expo,  “I  said,  ‘Not  only  do  I  not  disclose  when  I  pay  for 
links,  I’ll  pay  you  double  if  you  don’t  disclose  the  fact  it’s  a  bought 
link.’”  It  was  this  comment  that  spurred  someone  in  the  audience 
to  question  Patel’s  self-worth. 

It  didn’t  bother  Patel.  “Everyone  has  their  own  bottom  line,” 
he  says.  “I’m  making  good  money  and  not  getting  in  trouble.” 

Of  his  black-hat  SEO  and  search  marketing  days,  Naylor 
says,  “it  was  anything  goes.  Was  blogspamming  illegal?  ‘I 
don’t  know’  is  the  honest  answer.  There’s  a  form  that  says 
leave  a  comment.  It  doesn’t  say,  ‘Don’t  leave  an  irrelevant  or 
automated  comment.’” 

“Look  at  it  this  way,”  says  Dellanave.  “Who  is  making  these 
rules  that  say  you  can’t  buy  links?  Are  you  breaking  a  law,  or  are 
you  breaking  a  law  of  a  free  market  that  someone  has  created? 
If  you  get  caught,  you  get  banned  and  that’s  your  punishment. 
Sure,  ethics  bells  go  off  sometimes.  But  at  the  same  time,  the 
search  companies’  business  model  is  flawed.  It  enables  this.  Even 
encourages  it.  So  who’s  the  fool,  the  guy  who  takes  advantage  of 
that  or  the  guy  who  doesn’t?  There  are  hedge  funds  on  Wall  Street 
based  on  arbitrage.  Is  that  unethical  or  is  it  exploiting  a  flaw  in 
the  market?” 

“The  problem  is,  there’s  quick  and  easy  money,”  says  Patel.  “If 
you  know  you  can’t  get  caught,  you’ll  do  it  all  day  long.  If  people 
don’t  like  it,  they  can  try  to  stop  it.” 


CAT  AND  MOUSE 

FOR  A  LONG  time,  SEOs  say,  the  search  companies’  attitude 
toward  black-hat  SEO  was  best  described  as  clement.  One  SEO 
called  Google’s  former  position  on  enforcing  its  terms  of  service  a 
“rhetorical  stance.”  Matt  Cutts,  Google’s  chief  liaison  to  the  SEO 
and  search  marketing  community,  says  enforcement  against 
“high-risk  SEO”  was  neither  lax  nor  selective  for  any  reason  other 
than  the  obvious  one:  “As  you  get  larger  as  a  company,  you  have 
more  resources  to  pursue  what  you  always  wanted  to  enforce.” 

So  while  the  search  companies  would  suss  out  the  most  bla¬ 
tant  scams,  careful  black-hat  SEOs  could  thrive.  The  key  was 
restraint.  “Game  the  system,  just  not  so  forcefully  that  you’re 
noticed.”  Naylor  says  that  was  a  good  rule  of  thumb. 

And  periodically,  the  search  companies  were  stirred  to  action 
by  the  effect  SEO  was  having  on  search  results.  Sometimes,  for 
example,  SEOs  could  knock  a  company  out  of  the  top  result  for 
searches  on  that  company’s  name.  One  day  in  late  2006,  the  top 
result  for  searches  on  the  term  “trump”  suddenly  changed  from 
that  company’s  site  to  a  site  selling  erectile  dysfunction  drugs. 

Search  companies  know  this  makes  their  product  look  bad 
and  “that  threatens  their  business  model,  which  relies  on  adver¬ 
tisers  paying  them  to  deliver  quality  search  results  that  many  peo¬ 
ple  will  continue  to  use,”  says  Schoemaker.  “So  they  react  when  it 
happens,  but  they  don’t  seem  to  care  until  people  notice.” 

The  first  time  search  companies  tried  to  neutralize  black-hat 
SEO  came  soon  after  search  started  to  flourish,  almost  a  decade 
ago.  Back  then,  the  algorithms  focused  on  the  page  itself  and 
what  was  on  it,  specifically  keywords  that  would  match  what 


26  www.csoonline.com  March  2008 


COVER  STORY  |  SEO 


primary  preoccupations  of  SEOs. 
Navigation  bar  (nav  bar):  A  website  s 
navigation  icons  that  help  users 
explore  the  site  but  are  also  crucial 
to  getting  spiders  to  the  site’s  most 
important  content. 

PageRank  (PR):  Google’s 
trademarked  term  for  its  weighted 
formula  for  determining  a  site’s 
popularity.  Under  PR,  not  all 
links  are  created  equal.  Google 
differentiates  a  link  from  what  it 
deems  an  important  site  (such  as 
Nytimes.com)  as  being  better  than  a 
link  from  5cottsnewsoftheday.com. 
PageRank  scoring  ranges  from  0 
to  10, 10  being  the  best.  PageRank 
scores  get  exponentially  harder  to 
achieve  the  closer  to  10  they  are. 

For  example,  increasing  your  own 
homepage’s  PageRank  from  a  2  to 
3  is  easy  with  not  a  lot  of  additional 
links,  and  jumping  from  a  7  to  an  8  is 
very  difficult  to  achieve.  The  higher 


the  PageRank  of  the  page  that’s 
linking  to  you,  the  more  your  site’s 
PageRank  will  benefit.  The  better 
your  PageRank,  the  better  you’ll  do  in 
Google,  all  else  being  equal. 
Pay-per-dick  (PPC):  A  pay-for- 
performance  pricing  model  in  which 
paid  search  listing  or  ads  are  priced 
based  on  number  of  clickthroughs 
rather  than  impressions  (number 
of  times  it’s  served  to  user)  or  other 
criteria. 

Robots.txt:  Text  file  placed  in  a 
website’s  root  directory  and  linked  in 
the  HTML  code.  An  important  file  that 
dictates  the  actions  of  a  search  spider 
on  the  site.  It  can  even  deny  a  spider 
access  to  the  site. 

Search  engine  marketing/ 
marketers  (SEM):  Using  SEO  and 
other  techniques  to  generate  ad 
revenue  and  referral  fees  from  sites 
that  rank  high  in  the  search  engines, 
or  the  person  who  does  that. 


Search  engine  optimization/ 
optimizers  (SEO):  Any  tactic  used  to 
influence  website  rankings  in  search 
results,  or  the  person  who  uses  those 
tactics. 

Spider:  Also  known  as  a  robot  or 
crawler.  Programs  used  by  a  search 
engine  to  explore  the  Internet  and 
collect  information  about  webpages 
and  store  it  in  an  index,  which  is  then 
used  for  ranking  pages  in  search 
results  based  on  their  relevance  to 
the  search.  Having  a  site  inspected  is 
called  “being spidered.” 

Visibility:  The  degree  to  which  your 
website  is  optimized  for  relevant 
keyword  searches. 

White-hat  SEO:  SEO  techniques 
that  do  not  violate  the  search  engine 
companies’  terms  of  service. 

Source:  SEOGlossary.com,  CSO  Reporting 


people  searched  for.  To  boost  their  rankings,  sites  manipulated 
keywords  forcefully.  “They  had  40  or  50  techniques  they  used  to 
do  this,”  says  SEO  Eric  Ward.  (Ward  says  he  does  not  use  black- 
hat  SEO  techniques.)  Sometimes  site  owners  would  just  spill  a 
sea  of  keywords  at  the  bottom  of  a  page.  Sometimes  they’d  hide 
them  behind  images  or  make  them  the  same  color  as  the  page’s 
background.  The  principle  was  to  include  as  many  keywords  on 
the  page  as  possible,  to  increase  the  likelihood  any  given  search 
would  match  the  keywords  and  draw  the 
site  into  search  results. 

When  this  got  out  of  hand,  the  search 
companies  tweaked  the  algorithms  and 
shifted  the  rules  from  trusting  keywords 
the  most  to  trusting  links  the  most.  (The 
presumption,  of  course,  is  that  website 
owners  and  content  producers  will  try 
to  cheat.  They  are  trusted  the  least.)  This 
made  link  building  the  center  of  all  SEO  strategies. 

In  principle,  the  idea  is  sound.  A  site  can  be  judged  by  the 
company  it  keeps.  But  there  were  problems.  At  first,  the  algo¬ 
rithms  seemed  to  value  link  volume  the  most,  and  that  spurred 
link  farms— pages  full  of  nothing  but  links  that  the  SEOs  tricked 
people  into  visiting  to  create  a  self-sustaining  constellation  of 
juice.  In  response,  the  search  companies  altered  the  algorithms 
to  value  “authoritative  links”— those  from  other  sites  who  were 
already  considered  valuable  themselves. 

That  helped  to  block  off  the  link  farms  and  other  egregious 
link-building  techniques,  but  it  did  little  to  stem  black-hat  SEO. 
Bringing  peers  into  the  equation  encouraged  people  to  manipu¬ 


late  not  only  their  own  sites  but  their  peers’  sites  too.  It  pushed 
SEOs  into  tactics  like  blog  spamming,  which  proved  so  effective 
that  links  in  comments  fields  and  on  online  guestbooks  essentially 
have  been  dejuiced  all  together.  SEOs  also  targeted  .edu  domains. 
Because  of  their  academic  focus,  the  algorithms  assume  they’re 
more  credible  than  commercial  sites,  and  therefore  .edus  pass 
more  juice  than  .corns.  SEOs  would  borrow  students’  unused 
Web  space  (sometimes  they’d  pay  the  students  for  it)  and  fill  it 
with  links.  It  was  like  lying  on  your  resume. 
The  algorithm  didn’t  know  that  your  links 
didn’t  really  go  to  Harvard. 

The  more  search  companies  tried  to 
contain  them,  the  more  aggressively  SEOs 
circumvented  the  rules.  The  game  changed 
from  using  loopholes  to  actively  abusing 
the  algorithms.  They  deployed  bait-and- 
switch  schemes— using  a  phrase  like  “Click 
Here  to  Learn  More”  to  get  a  user  to  click  on  what  is  actually  a 
hidden  link  to  boost  someone’s  ranking.  Cloaking  emerged.  Patel 
and  others  paid  premiums  for  links,  spawning  link  brokers,  who 
streamlined  the  link-buying  process.  Good  coders  created  com¬ 
plex  schemes  that  sent  users  through  several  pages  of  links  before 
they  arrived  at  the  content  they’re  looking  for. 

The  schemes  are  endless,  like  the  imagination.  And  like  all 
arms  races,  this  one  escalated  to  an  untenable  level.  The  game 
had  to  change  again.  ■ 

Scott  Berinato  is  executive  editor  of  CSO  magazine.  Reach  him  at 
sberinato@cxo.com. 


Coming  next  month  in  CSO 

Part  2:  How  and  why  SEO  and 
hacking  are  finally  merging 
and  what  it  means  for  the 
future  of  search. 


March  2008  www.csoonline.com  27 


MOBILE  SECURITY 


Protecting  the 
Mobile  Workforce 

Seven  ways  to  safeguard  your  company’s 
roaming  data  from  thieves,  hackers,  viruses 
and  just  plain  stupidity  By  Stacy  Collett 

Where  did  I  leave  my  #&%!  Palm  Pilot? 

A  salesperson  for  an  international  conglomer¬ 
ate  with  more  than  50,000  employees  probably 
uttered  a  similar  phrase  while  rifling  through 
pockets  and  suitcases  looking  for  his  PDA  while 
traveling  on  business. 

After  a  lengthy  search,  he  believed  the  mobile 
device  was  simply  lost.  But  later  he  would  learn 
that  it  was  actually  stolen.  The  salesperson  had 
been  targeted  by  a  competitor.  The  thief  wanted 
access  to  his  contact  list  of  fellow  sales  reps  at  the 
company.  Weeks  later,  80  percent  of  the  sales  force 
also  disappeared— lured  away  by  more  lucrative 
pay  packages. 

True  story.  Think  it  can’t  happen  to  you? 


Illustration  by  Celia  Johnson 


March  2008  www.csoonline.com  29 


MOBILE  SECURITY 


Today’s  highly  mobile  workforce, 
coupled  with  an  explosion  of 
new  mobile  gadgets  that  give 
users  access  to  the  Internet 
from  anywhere,  has  created 
nightmares  for  security  managers,  who  are 
losing  control  of  what  devices  employees 
use  at  work. 

As  mobile  devices  are  becoming  physi¬ 
cally  smaller  and  logically  larger,  employees 
can  easily  take  large  amounts  of  valuable 
corporate  information  with  them  anywhere. 
Today’s  multiuse  cell  phones,  for  instance, 
can  hold  up  to  2GB  of  data  on  a  removable 
miniSD  (secure  digital)  card.  BlackBerrys, 
iPhones  and  laptops  are  equally  mobile, 
loaded  with  company  data  and  susceptible 
to  loss  or  theft. 

“The  edge  of  the  corporate  network 
is  that  [mobile]  device,  and  the  security 
controls  in  the  device  are  a  disaster,”  says 
Matthew  E.  Luallen,  president  of  Sph3r3,  a 
security  consulting  firm  in  Chicago.  “Secu¬ 
rity,  by  far,  is  not  keeping  up.” 

Among  the  culprits:  Default  settings  on 
mobile  devices  are  too  easy  to  use  and  infil¬ 
trate;  most  mobile  file  systems  aren’t  siloed, 
so  when  one  area  is  affected,  the  whole 
device  goes  down.  Patches  are  hard  to 
administer  and  enforce  on  myriad  devices. 

There  are  two  types  of  mobile  threats 
that  security  professionals  must  consider— 
protecting  data  that’s  on  the  device  and  pre¬ 
venting  malicious  Web  access  to  corporate 
networks  through  the  mobile  device. 

With  smaller  devices,  “you  don’t  neces¬ 
sarily  even  have  the  processing  power  or 
the  resources  available  to  protect  the  data,” 
Luallen  adds.  Cell  phones,  for  instance, 
lack  the  processing  power  to  accommodate 
fast,  effective  encryption  tools.  Some  cell 
phone  encryption  software  can  take  up  to 
10  minutes  to  decrypt  data.  “That  typically 
conflicts  with  what  we’re  trying  to  provide 
for  a  mobile  workforce,”  which  is  ease  of 
use  and  performance,  he  says. 

What’s  more,  wireless  capabilities  are 
being  integrated  into  every  piece  of  tech¬ 
nology.  The  new  SD  card  from  Eye-Fi,  for 
starters,  embeds  wireless  capabilities  in 
the  memory  card.  It  promises  to  effort¬ 
lessly  upload  pictures  from  digital  cameras 
to  a  PC. 

Employees  might  think  that  the  chances 
are  slim  that  a  lost  laptop,  cell  phone  or  PDA 
will  actually  fall  into  enemy  hands.  But  the 


doom  factor  increases  exponentially  if  it 
happens  at  a  business  conference  or  trade 
show.  “If  you  lose  your  hard  drive  or  flash 
drive  there,  the  chances  of  someone  pick¬ 
ing  it  up  and  knowing  what  to  do  with  it  are 
pretty  good!”  says  Jack  Gold,  president  and 
principal  analyst  at  J.  Gold  Associates. 

“Know  that  you  are  going  to  lose  assets,” 
Luallen  cautions.  “So  protect  it  so  that 
somebody  else  can’t  read  it.  Then  make 
sure  it’s  backed  up  somewhere.”  Security 
analysts  offer  their  advice  for  protecting 
employees’  mobile  devices  from  thieves, 
hackers  and  just  plain  stupidity. 

1.  IT  should  control 
the  outbound 

“You  need  to  start  treating  these  [mobile] 
devices  just  as  you  would  your  PCs,”  says 
Stacy  Sudan,  research  analyst  for  mobile 
enterprise  software  at  IDC  (a  sister  com¬ 
pany  to  CSO’s  publisher).  “They  are  mini¬ 
computers,  and  you  need  to  treat  them  that 
way.  Security  is  clearly  a  part  of  that.”  That 
means  centralizing  a  mobile  security  strat¬ 
egy  and  tying  it  to  the  broader  corporate 
security  strategy. 

Identify  what  information  is  being 
accessed,  tag  it  as  sensitive  or  unclassified 
and  then  control  its  dissemination. 

At  health  benefits  firm  Cigna,  in  Phila¬ 
delphia,  several  hundred  systems  contain 
sensitive  health  and  financial  data  pro¬ 
tected  under  HIPAA  and  other  regulatory 
guidelines.  CISO  Craig  Shumard  uses 
role-based  access  software  from  Aveksa  to 
determine  which  of  the  27,000  employees 
are  granted  access  to  these  systems. 

“We  really  restrict  access  to  our  resources 
to  Cigna  machines,”  including  9,000  lap¬ 
tops,  Shumard  says.  “We  don’t  allow  folks 
to  attach  using  their  home  computers.  We 
only  allow  BlackBerrys  as  the  approved 
device  for  remote  e-mail  and  phone.  We 
don’t  allow  people  to  have  their  own  phones 
and  e-mail  connections.”  In  B2B  cases,  the 
company  requires  VPNs  or  other  types  of 
security  mechanisms,  he  adds. 

2.  Add  another  layer 
of  security 

Most  companies  should  look  for  three  capa¬ 
bilities  in  their  mobile  security  software: 
authentication,  wipe-and-lock  features  that 
can  remotely  render  the  device  useless  and 
encryption,  Sudan  says. 


“If  you  have  some  kind  of  power-on 
password,  the  thief  can’t  even  get  into  the 
thing— that’s  a  good  first  step,”  says  Sudan. 

She  also  recommends  adding  the  ability 
to  swipe  or  lock  the  devices  remotely,  but 
Luallen  cautions  that  unless  the  feature 
is  activated  quickly,  a  would-be  intruder 
could  simply  pop  out  the  battery  and  deny 
any  access  to  the  device. 

Until  cell  phone  and  PDA  encryption 
processing  speeds  improve,  “you  may  not 
want  to  encrypt  the  full  disk  right  now,” 
Sudan  says.  “But  at  least  have  the  ability  to 
encrypt  files  and  folders— or  at  least  your 
e-mail,”  Sudan  says. 

At  Cigna,  all  laptops  have  full-disk 
encryption  and  some  have  a  second  layer 
of  encryption  on  specific  files.  “It  protects 
the  data  from  somebody  who  has  to  log 
on...to  fix  the  machine.  But  since  they’re 
not  logging  on  with  the  user’s  credentials, 
they  still  don’t  have  access  to  the  data,” 
Shumard  says.  Users  haven’t  complained 
about  slow  processing  times  so  far. 

Cigna  also  deploys  technology  that 
prevents  users  from  downloading  data  to 
a  travel  drive  and  copying  information  to 
CDs.  These  and  other  security  features 
are  available  today  in  most  mobile  device 
management  products  and  mobile  security 
products  offered  by  a  range  of  vendors. 

Large  systems  management  vendors 
include  CA,  IBM  and  Hewlett-Packard. 
Mobility  vendors,  such  as  BlackBerry, 
Motorola  and  Nokia  offer  both  categories 
of  products,  as  well  as  pure-play  security 
management  system  vendors.  Most  prod¬ 
ucts  support  the  two  most  common  mobile 
operating  systems  in  the  U.S.— Windows 
Mobile  and  BlackBerry. 

There  are  differences  between  mobile 
security  products  and  mobile  device  man¬ 
agement  software.  MDM  includes  software 
distribution,  asset  management,  remote 
control  and  some  baseline  security  fea¬ 
tures— “what  you  would  find  in  a  PC  device 
management  product,”  Sudan  says. 

Mobile  security  products  are  specifically 
focused  on  security— with  mobile  VPNs, 
mobile  antivirus,  mobile  firewall,  as  well  as 
the  device  swipe-and-lock  and  encryption 
features  also  found  in  MDM  software. 

3.  Prevent  Web-based 
mobile  attacks 

In  2006,  IDC  saw  an  increase  in  the  vol- 


30  www.csoonline.com  March  2008 


MOBILE 

SECURITY 

QUICK  TIPS 

1.  Delete  information  that  is  no  longer 
necessary.  Only  keep  one  day  of  e-mail 
and  the  files  necessary  for  the  day's 
activity  on  the  device. 

2.  Do  not  use  shared  devices  (hotel  com- 
puters  or  fax  machines)  for  information 
that  should  be  protected. 

3.  Understand  howto  notify  someone 
when  you  detect  or  lose  something.  This 
can  be  hard  while  you  are  mobile;  you 


can’t  call  someone  when  you  have  lost 
your  smartphone.  And,  even  once  you 
have  found  a  phone  that  you  can  use, 
you  may  no  longer  have  your  emergency 
contact  number.  The  point  is  to  practice 
your  incident  response  plan  because  you 
won’t  know  how  to  respond  until  the  time 
when  you  need  to. 

4.  Disable  any  functionality  you  don’t 
need.  Disable  Bluetooth  discoverable 
mode,  turn  off  802.11  wireless  when  it’s 
notin  use. 

5.  Encrypt  sensitive  information  on  the 
device,  if  possible. 

6.  Recognize  that  information  secu¬ 
rity  is  not  just  technology-it  is  also 
protecting  physical  assets  and  verbal 
communications. 

7.  The  IT  department  should  provide  only 
the  view  necessary  to  any  specific  mobile 
individual  or  system. 

8.  Sanitize  (wipe  out)  obsolete  mobile 
devices. 

Source:  Sph3r3  LLC 


ume  and  sophistication  of  mobile  malware, 
which  has  prompted  analysts  to  recommend 
that  companies  begin  evaluating  MDM  and 
mobile  security  products.  According  to  an 
IDC  report,  “Several  viruses  have  been  spe¬ 
cifically  developed  to  exploit  vulnerabilities 
in  mobile  phones  and  handheld  devices.” 
The  majority  of  these  have  been  low-level 
threats,  but  they  have  laid  the  “proof  of  con¬ 
cept”  groundwork  for  others  to  follow. 

Some  MDM  solutions  offer  feature- 
block  capabilities,  which  disable  Bluetooth, 
SMS  or  multimedia  messaging  service 
(MMS)  messaging,  so  viruses  can’t  get  into 
the  phone.  It  also  allows  administrators  to 
disable  USB  connectivity,  turn  off  cameras 
and  disable  ActiveSync— or  any  other  ports 
that  can  sneak  viruses  inside. 

4.  Understand  the  default 
settings  on  mobile  devices 

Default  settings  on  mobile  devices  may 
make  them  easy  to  set  up,  but  they  also 
create  big  security  holes.  For  instance,  cit¬ 
ies  like  Chicago  require  motorists  to  use 
hands-free  devices  when  driving  while 
using  a  cell  phone,  so  a  growing  number 
of  drivers  are  buying  Bluetooth  headsets. 


To  get  up  and  running  quickly,  users  often 
choose  the  manufacturer’s  discovery  mode 
by  default  and  easy  security  PIN  codes.  The 
problem  is  that  now  there  are  attack  tools 
that  can  take  advantage  of  those  default  fea¬ 
tures.  Hackers  can  potentially  eavesdrop  on 
phone  conversations,  Luallen  says. 

5.  Educate  employees  and  “put 
money  where  your  mobile  is” 

Have  a  written  policy— not  a  30-page  docu¬ 
ment,  but  something  more  like  a  seven- 
point  plan,  Gold  says.  Employees  should 
learn  to  treat  all  data  as  a  corporate  asset. 

At  some  companies,  talk  was  indeed 
cheap,  so  they’ve  added  a  monetary  punch 
to  their  written  mobile  policy.  Some  large 
companies  have  included  provisions 
within  their  employee  agreement  that  tie  a 
percentage  of  an  employee’s  bonus  or  raise 
to  any  security  incidents  that  may  have 
involved  them,  such  as  the  loss  of  a  laptop, 
PDA,  cell  phone  or  flash  drive.  “Slowly, 
people  are  realizing  that  this  is  the  only 
way  they’re  going  to  be  successful.  “If  there 
is  no  ‘me  factor,’  then  nobody’s  going  to  do 
it,”  Luallen  says. 

IT  and  security  managers  may  also  want 


to  define  a  policy  for  using  an  employee’s 
own  mobile  device  at  work.  “Some  compa¬ 
nies  have  policies  where  you’re  only  going 
to  be  able  to  use  the  device  that  they  pro¬ 
vide”  so  they  can  control  access  and  secu¬ 
rity  features,  Sudan  says.  Other  companies 
let  employees  use  their  own  mobile  devices, 
“but  you  have  to  bring  it  in,  let  them  know 
that  you’re  using  it  and  certify  it”  with  the 
security  features  including  antivirus,  fire¬ 
walls,  authentication  and  encryption. 

6.  Don't  forget  mobile 
device  etiquette 

About  72  percent  of  Americans  say  that  the 
worst  cell  phone  habit  is  having  loud  con¬ 
versations  in  public,  according  to  a  national 
poll  by  market  research  group  Synovate  in 
Chicago.  Not  only  is  it  annoying,  it’s  poten¬ 
tially  dangerous  if  the  subject  is  business. 
You  never  know  where  the  competition 
lurks— on  a  commuter  train,  on  an  airplane, 
at  the  next  table  at  a  restaurant,  in  the  next 
bathroom  stall.  Likewise,  employees  need 
an  occasional  reminder  that  anyone  sitting 
nearby  in  a  coffee  shop  or  on  an  airplane 
may  have  a  view  of  an  injudiciously  placed 
laptop  screen. 

7.  Find  a  product  that  balances 
security  with  usability 

Choose  processes  in  which  security  is  going 
on  in  the  background  and  users  don’t  have 
to  worry  about  it. 

“If  your  employees  have  to  enter  a  pass¬ 
word  every  time  they  have  to  make  a  phone 
call,  or  if  their  device  has  to  be  unlocked 
after  every  30  seconds,  that’s  going  to  drive 
them  to  not  want  to  use  the  mobile  device,” 
Sudan  says.  “You  want  your  employees 
to  get  the  productivity  gains  that  you’ve 
invested  in.” 

Industry  watchers  say  that  a  proac¬ 
tive  stance  will  help  companies  rebound 
quickly  when  mobile  devices  are  inevitably 
infected,  breached,  lost  or  stolen. 

“Most  companies  are  just  beginning  to 
realize  that  they  need  some  kind  of  base¬ 
line  mobile  security,”  Sudan  says.  “There’s 
no  dominant  model  in  place  quite  yet,  but 
they  are  figuring  out  that  they  need  to  do 
something  about  it.”  ■ 


Stacy  Collett  is  a  freelance  writer  based  in  the 
Chicago  area.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 


March  2008  www.csoonline.com  31 


The  self-described 
Christian  hacker  talks 
about  how  he  wrote  No 
Tech  Hacking,  why  social 
engineering  is  easier  than 
breaking  software  and 
how  he’s  trying  to  get 
the  hacking  community 
to  do  charity  work 


BY  KATHERINE  WALSH 


INTERVIEW 


OHNNY  LONG  has  been  hacking  stuff  for  as  long  as 
he  can  remember.  Long,  a  security  researcher  at  Com¬ 
puter  Sciences  Corporation,  is  a  self-described  Christian 
hacker  who  created  an  organization  for  the  hacking 
community  to  do  charity  work.  He  says  his  goal  is  to 
improve  the  security  of  computer  networks  by  expos¬ 
ing  their  vulnerabilities.  Long  became  the  authority  on 
search-engine  hacking  in  2005  when  he  wrote  Google 
Hacking  for  Penetration  Testers,  the  first  book  to  explore 
how  malicious  hackers  use  Google  features  to  unlock 
security  flaws.  In  his  new  book,  No  Tech  Hacking,  he 
explains  how  hackers  are  using  their  curiosity  and  per¬ 
ception  to  compromise  security  without  the  use  of  tech¬ 
nology,  and  what  security  professionals  need  to  know  to 
get  ahead  of  the  game. 

CSO:  Explain  the  concept  of  “no-tech  hacking.” 

Johnny  Long:  Security  is  a  race  between  the  good 
guys  and  the  bad  guys.  Everybody  tries  to  get  more 
technically  advanced  and  smarter  about  what  it  is  that 
they  are  doing.  After  being  a  professional  hacker  for  a 
number  of  years— breaking  into  computer  networks 
and  breaking  into  physical  buildings  to  get  access  to 
computer  networks  and  data— I  learned  that  the  things  I 
was  able  to  do  most  successfully  often  had  very  little  to  do 
with  technology.  I  could  spend  a  week,  a  month  or  three 
months  pounding  on  an  Internet- connected  network  for 
some  agency,  trying  to  sneak  past  their  firewall,  or  in  a 
matter  of  two  days  I  could  actually  be  inside  the  building 
through  social  engineering— maybe  by  creating  a  fake 
badge  that  looked  like  an  employee  badge,  pretending  to 
be  a  telephone  repairman  or  even  by  entering  through 
the  smokers’  entrance.  There’s  a  whole  pile  of  stuff  that 
doesn’t  involve  technology.  (See  CSO’ s  excerpt  of  No  Tech 
Hacking  for  more  on  the  problems  with  employee  badges 
2A.www.csoonline.com/read/l10107/fea_book.html .) 

Why  does  a  good  no-tech  hacker  also  have  to  be  a  good 
social  engineer? 

It’s  all  about  being  comfortable  where  you  are.  A  lot  of 
people  assume  it’s  like  acting,  where  you  have  to  play  a 
part,  but  really  it’s  just  about  coming  across  as  someone 
who’s  not  up  to  something.  Really  good  social  engineers 
can  pick  up  the  phone  and  change  their  voice  or  their  age. 
These  days,  you  don’t  even  have  to  do  that— you  just  have 
to  be  comfortable  and  convince  yourself  that  you’re  in  a 
place  you  belong,  that  you’re  having  a  conversation  that’s 
completely  normal. 

What  was  the  writing  process  like?  Did  you  find  that  you 
learned  new  things  as  you  went  along? 

This  was  slow  in  coming.  Many  projects  I  work  on  are 
three  to  six  months  from  beginning  to  end.  The  writing 


process  for  No  Tech  was  very  similar  in  duration,  but  the 
research,  stories  and  photos  behind  it  were  years  in  the 
making.  I  got  to  the  point  where  I  saw  so  many  things  in 
public  that  I  started  carrying  a  camera  with  me  all  the 
time.  I  started  pulling  together  pictures  and  war  stories, 
and  then  came  to  the  realization  that  it  was  practical  stuff 
that  a  wide  audience  could  understand.  No  Tech  gets  to 
the  heart  and  soul  of  what  we’re  up  against,  not  just  for 
corporations  trying  to  protect  their  data,  but  for  individu¬ 
als  trying  to  protect  their  privacy. 

Talk  about  your  relationship  with  your  work  partner 
Vince,  whom  you  describe  in  the  beginning  pages  of  the 
book.  What’s  the  most  valuable  lesson  about  no-tech 
hacking  that  you  learned  from  him? 

He  was  a  mentor  in  many  different  ways.  He  didn’t  just 
give  me  practical  advice;  he  literally  shifted  my  perspec¬ 
tive  to  focus  on  things  most  people  wouldn’t  think  about. 
In  our  working  relationship,  I  was  always  considered 
the  hacker  because  I  broke  into  the  systems  and  the  net¬ 
works,  but  Vince  really  personified  what  it  is  that  makes 
hackers  special.  It’s  that  mentality  of  seeing  life  from  a 
different  perspective.  Even  though  Vince  isn’t  highly 
technical— he’s  excellent  with  things  like  communica¬ 
tions  and  physical  security— his  skills  plunge  right  into 
the  heart  of  the  technical  world.  He  could  find  a  way  into 
a  building  and  walk  out  with  an  armful  of  sensitive  docu¬ 
ments,  a  process  that  would  have  taken  us  months  from  a 
purely  technical  angle.  It  was  incredibly  eye-opening. 

What  is  the  most  important  aspect  of  no-tech  hacking? 

It’s  definitely  awareness.  No-tech  hackers  are  definitely 
more  aware  than  the  standard  person.  They  notice 
details;  they’re  very  perceptive.  It’s  definitely  something 
that  can  be  learned,  but  it  comes  much  easier  if  you  have 
an  instinct  for  it.  The  awareness  associated  with  no-tech 
hacking  goes  a  long  way  for  preventing  it  as  well.  If  you’re 
walking  in  to  work  and  you  notice  there  is  a  bag  full  of 
unshredded  paper  sitting  outside  the  dumpster,  or  you 
notice  a  door  that  is  supposed  to  be  locked  and  isn’t— it’s 
noticing  that  and  being  willing  to  do  something  about 
it.  There  is  a  fine  line.  I  don’t  want  to  create  a  society  of 
completely  paranoid  people.  But  at  the  same  time,  I  have 
been  able  to  walk  around  airports,  past  the  security  gates, 
taking  pictures  of  people’s  baggage  or  taking  video  foot¬ 
age  of  pilots  pushing  the  combination  into  a  door  lock.  In 
this  day  and  age,  in  that  environment,  someone  should  be 
noticing.  In  my  experience,  right  now,  they  are  not. 

Your  actions  make  sites  more  secure.  Was  that  your 
intent  when  you  got  into  hacking? 

No,  I  had  no  clue.  I’ve  always  had  a  passion  for  technol¬ 
ogy.  Security  and  hacking  was  a  really  fun  sideline.  It’s 


March  2008  www.csoonline.com  33 


INTERVIEW 


EE 
©  & 
EE 
E  E 


'S’ 


„  Jlii! 

*<U. Mil' 
HUM 


U]< 

him 


IMMUI 


IE 

M<> 


similar  to  a  child  who  takes  to  puzzles  or  math.  Hacking  for  me 
was  like  figuring  out  this  really  cool  puzzle.  But  even  as  a  kid,  I 
wasn’t  doing  anything  malicious.  I  was  just  infinitely  curious.  It 
was  a  new  territory  to  explore.  When  I  got  into  college,  I  followed 
traditional  advice  and  took  typing  classes.  I  thought  I  wanted  to 
be  a  systems  administrator.  I  never  imagined  I’d  be  doing  security 
work.  I  fell  into  it  almost  accidentally,  mostly  through  Computer 
Sciences  Corporation,  where  I  work  now.  They  hired  me  as  a 
systems  administrator,  but  they  also  had  a  security  team.  When  I 
realized  they  got  paid  to  break  into  networks  and  things  like  that, 
I  was  insanely  curious.  At  first,  members  of  that  team  were  very 
skeptical  of  me.  I  was  a  little  too  interested,  and  I  was  young.  I 
had  an  image  of  liking  to  buck  the  system.  Eventually,  I  ended  up 
founding  a  penetration  testing  team  within  CSC. 

Are  you  disturbed  by  the  vulnerabilities  you  detect  as  part  of 
your  work?  Excited  by  it?  A  little  of  both? 

I  think  it’s  like  every  other  profession.  After  a  while  you  get  used 
to  it.  Doctors  see  grizzly  accidents  and  pull  people  back  from  the 
brink  every  day.  It  can  be  such  an  incredible  rush,  but  when  you 
do  it  hundreds  of  times,  it  gets  to  the  point  where  you  push  it  off 
to  the  peripheral  and  it  becomes  hard  to  be  surprised.  I’m  at  the 
stage  where  I  am  rarely  surprised  anymore.  I  think  I  just  have  a 
sense  of  humor  about  it  now  more  than  anything. 

You’ve  created  an  organization  enabling  the  hacking  community 
to  do  charity  work.  Do  people  have  trouble  understanding  how 
hacking  can  actually  be  good? 

There  is  a  definite  stigma  around  who  hackers  are.  There  are  a  lot 
of  people  out  there  who  really  are  just  criminals  using  computers, 
and  they  are  called  hackers  because  they  are  doing  all  these  mali¬ 
cious  things.  But  the  vast  majority  of  people  who  actually  fit  the 
term  hacker  are  more  curious.  They  have  unbelievable  skills.  We 
want  them  to  apply  those  skills  to  areas  where  they  are  needed 
the  most.  In  the  case  of  AOET  [an  organization  dedicated  to  help¬ 


ing  poor  orphans  whose  parents  have  died 
of  AIDS  in  countries  like  Uganda],  we  are 
literally  saving  lives  and  getting  supplies  to 
where  they  are  needed.  We  take  the  skills 
the  hacking  community  is  willing  to  offer 
us,  run  them  through  a  rigorous  vetting 
process,  and  the  result  is  that  we  help  not 
only  charities,  but  hackers  who  are  looking 
to  get  into  the  legitimate  job  world. 

What  are  some  examples  of  how  hacking 
skills  can  be  applied  to  charities? 

There  is  more  to  hacking  than  offensive 
security.  One  by-product  is  that  you  learn 
good  defense.  So  one  thing  we  do  is  to  lock 
down  sites  that  are  already  installed.  We’ll 
look  at  them  and  see  that  software  pack¬ 
ages  are  out  of  date,  or  there’s  a  problem 
with  the  code.  We  also  have  Web  design 
skills.  Understanding  HTML  and  the 
languages  of  the  Web  gives  you  a  leg  up 
in  design.  Programming  is  another  skill  that  many  hackers  are 
very  good  at.  For  AOET,  we  put  a  child  sponsorship  program 
online  where  people  can  sponsor  children  for  $30  a  month  and 
pay  for  their  schooling  and  clothes  and  medical  supplies.  We’ve 
automated  that  system,  transforming  it  from  a  very  slow,  labori¬ 
ous  thing  to  a  point-and-click  pay  online  effort.  It  literally  saves 
kids  because  it  gets  more  kids  into  the  program.  It  was  written  by 
a  programmer  in  a  week  and  a  half  with  no  budget. 

You  describe  yourself  as  a  “Christian  hacker.” 

Hacking  is  a  job.  It’s  what  I  do  to  pay  the  bills,  and  it  just  so 
happens  I’m  also  one  of  the  good  guys.  So  that  term  is  really  just 
taking  my  job  and  my  beliefs  and  combining  them.  It’s  really  not 
that  strange  of  a  thing.  It  boils  down  to  me  living  life  to  a  higher 
standard— not  just  plugging  through  and  doing  the  9  to  5. 

You’ve  also  said  that  the  religious  establishment  could  learn  a  lot 
from  the  hacking  community.  Explain  that. 

It’s  amazing  because  the  hacking  community  is  so  accepting. 
Many  times  you’re  working  with  people  that  operate  under 
completely  different  beliefs  than  you  do;  they  believe  in  different 
religions  and  are  of  different  ethnicities.  All  of  that  vanishes  in  a 
chat  room.  All  of  the  things  we  get  so  hung  up  on  in  this  society 
disappear.  I  can  be  who  I  am  with  no  apologies. 

What’s  the  most  important  piece  of  advice  you  would  give  to 
someone  who  wants  to  become  a  professional  hacker? 

Trust  is  everything.  Whether  or  not  you  decide  to  get  into  this  as 
a  profession,  if  you  do  things  you’re  not  supposed  to,  it’s  really 
going  to  hurt  you  in  many  different  ways.  But  if  you  have  incred¬ 
ible  passion  that  you  want  to  take  to  the  next  level  and  make  a 
career  out  of  it,  you  really  have  to  set  your  path  early  on  and  be 
aware  that  if  not  done  right,  this  stuff  can  come  back  to  bite  you. 


Reach  Staff  Writer  Katherine  Walsh  at  kwalsh@cxo.com. 


34  www.csoonline.com  March  2008 


Illustration  by  Paul  Watson 


For  top  security 
in  both  physical 
and  logical 
access  control, 


HID  has  earned  its  reputation  with  the  unmatched 
performance  of  millions  of  access  control  cards  and  readers  all  over  the  world. 
Now,  our  Crescendo  solutions  extend  the  same  expertise  to  controlling  access 
to  your  PC  or  network -and  the  technology  can  be  combined  with  your  existing 
physical  access  control  system.  Whether  it’s  doors  or  Windows®  HID  knows 
that  rock- solid  security  and  reliability  are  the  key.  Microsoft. 

Crescendo  simply  adds  to  our  credentials.  Identity  Lifecycle 

,  - v  Manaqer2007 


To  request  a  Crescendo  Evaluation  Kit,  visit  WWW.hidglobal.com/crescendo 


With  HID’s  Crescendo™  line,  the  world  leader 
in  physical  access  can  now  provide  logical 
access  on  the  same  credential. 


[  undercover] 

By  Anonymous 


A  Case  for  Anticounterfeiting 

Wherein  our  CSO  makes— and  proves— the  argument  that 
anticounterfeiting  should  be  a  security  function 


Although  I  don’t  handle  cus¬ 
tomer  complaints  directly, 
one  day  I  received  a  call 
through  our  operator  from 
a  disgruntled  customer  who 
complained  that  our  company  should  not 
allow  counterfeit  products  carrying  our 
brand  name  to  be  sold  so  boldly.  She  went 
on  to  describe  what  seemed  to  be  an  unbe¬ 
lievable  story  about  a  counterfeit  ring  that 
was  selling  hundreds  of  thousands  of  dol¬ 
lars  worth  of  counterfeit  goods  in  Middle 
America.  Curious,  I  seized  this  unusual 
opportunity  and  assigned  the  claim  to  our 
investigations  team,  which  usually  focuses 
on  theft  and  policy  violations. 

It  turned  out  that  the  customer’s  story— 
although  it  had  seemed  unbelievable— was 
also,  to  a  large  extent,  true.  Within  weeks, 
our  investigations  team,  working  closely 
with  law  enforcement,  had  completed 
a  sting  operation  that  led  to  the  arrests 
of  numerous  individuals,  the  seizure  of 
thousands  of  pieces  of  counterfeit  goods 
and  the  discovery  of  a  supply  network  that 
stretched  outside  the  United  States. 

Protect  our  brand?  You  bet  we  did. 

In  today’s  business  environment,  busi¬ 
ness  unit  owners  need  to  continually  drive 
incremental  value  to  their  organizations. 
This  is  particularly  true  of  operational 
business  units  that  do  not  directly  or  tan¬ 
gibly  generate  material  growth  in  revenue- 
areas  such  as  security.  In  anticounterfeiting, 
I  realized  there  was  an  opportunity  to  add 
value  to  the  organization.  So  I  jumped. 

After  my  team’s  success  with  this  anti¬ 
counterfeiting  operation,  I  was  able  to 
convince  our  senior  management  to  move 
anticounterfeiting  operations  out  of  the 
legal  department  and  into  the  security 
realm.  It  wasn’t  an  easy  sell,  but  it  wasn’t 


that  hard  of  a  sell,  either.  In  fact,  once  I 
started  looking  at  the  issue,  it  became 
obvious  why  my  team  could  be  successful 
fighting  counterfeiting,  and  why  the  orga¬ 
nizational  move  is  a  logical  step  for  any 
brand-conscious  organization. 

Security  Skills 

Our  security  department’s  mission  always 
has  centered  on  the  concept  of  protection, 


so  it  seemed  logical  to  expand  the  mission 
to  encompass  protecting  the  brand  from  the 
illegal  and  unethical  pirating  of  our  products, 
which  could  erode  customer  confidence  and 
trust  in  our  brand.  But  bringing  real  value 
to  the  company  centered  on  playing  to  and 
leveraging  some  of  the  strengths  of  our  secu¬ 
rity  team.  Here’s  how  I  made  my  case. 

First,  many  aspects  of  anticounterfeiting 
operations  rely  on  solid  and  creative  inves¬ 
tigations— something  that  played  directly 


into  the  strengths  of  our  investigation  team. 
The  team  is  adept  at  conducting  compre¬ 
hensive,  fact-finding  interviews,  mining 
intelligence  for  additional  leads,  conducting 
surveillance,  performing  undercover  opera¬ 
tions  and  maintaining  documentation  and 
records  for  purposes  of  litigation.  To  take 
on  anticounterfeiting  responsibility,  we  had 
only  to  expand  these  skills  outside  of  the  tra¬ 
ditional  security  responsibilities  and  apply 
them  to  efforts  focused 
on  the  crime  of  trade¬ 
mark  infringement. 

Second,  due  to  the 
nature  of  our  business, 
the  security  team  is  rep¬ 
resented  throughout 
every  business  channel 
around  the  world.  This 
level  of  organizational 
penetration  has  served 
us  well  and  lets  us  drive 
consistent  and  collab¬ 
orative  support  of  tradi¬ 
tional  security  themes 
and  best  business  prac¬ 
tices.  The  mentality 
that  all  of  us  in  security 
strive  for— to  make  sure 
“security  is  everyone’s 
job”— has  been  main¬ 
tained  by  the  rallying  cry  and  constant  rein¬ 
forcement  of  our  local  security  agents  with 
their  business-channel  partners. 

In  addition,  this  presence  at  our  loca¬ 
tions  around  the  globe  enhances  the  compa¬ 
ny’s  ability  to  respond  nimbly  to  reports  of 
counterfeiting  to  protect  its  business  glob¬ 
ally.  If  a  report  about  counterfeiting  comes  in 
almost  anywhere  in  the  world,  security  has 
someone  onsite  who  is  prepared  to  investi¬ 
gate  possible  illegal  activity.  By  leveraging 


36  www.csoonline.com  March  2008 


Illustration  by  J.D.  King 


security’s  global  organization,  the  company 
can  maintain  effective  focus  and  commit¬ 
ment  to  brand  protection.  In  a  sense,  brand 
protection  is  everyone’s  job,  too. 

Third,  a  standard  operating  procedure 
for  security  has  been  to  maintain  a  commit¬ 
ment  to  process  improvement.  By  expand¬ 
ing  into  anticounterfeiting  operations,  the 
company  has  embraced  process  improve¬ 
ment  into  this  area  traditionally  served  by 
counterfeit  product  seizures,  prosecution 
and  litigation.  Now,  new  aspects  of  busi¬ 
ness  are  scrutinized  through  the  window  of 
process  improvement  to  focus  on  protect¬ 
ing  the  brand.  For  example,  we  are  review¬ 
ing  internal  operations  to  identify  ways  to 
ensure  that  counterfeit  items  do  not  enter 
the  supply  chain,  and  all  customer  touch- 
points  are  under  scrutiny  to  see  how  our 
well  our  employees  are  trained  to  identify 
counterfeit  products.  Along  these  lines, 


security  also  is  looking  for  opportunities  to 
employ  a  covert  product  security  tool  that 
will  improve  the  ability  of  any  company 
representative  to  distinguish  between  a 
genuine  item  and  a  counterfeit  one  on  the 
spot.  Improving  our  methods  of  identify¬ 
ing  counterfeits  also  improves  productivity, 
because  suspected  fake  goods  don’t  have  to 
be  sent  back  to  a  central  location  staffed  by 
quality  assurance  specialists. 

The  decision  to  move  anticounterfeiting 
operations  also  leverages  security’s  vendor 
network  and  other  relationships.  Many 
security  and  risk-management  compa¬ 
nies  that  specialize  in  areas  such  as  back¬ 
ground  check  investigations,  competitive 
intelligence  and  compliance  also  specialize 
in  brand  integrity  and  intellectual-prop¬ 
erty  services.  Rather  than  having  another 
department  form  an  alliance  with  vendors 
that  my  department  already  deals  with, 
security  can  simply  modify  its  contracts  or 
service  expectations  with  our  vendors  to 
include  anticounterfeiting  functions. 


Benefits  to  the  Organization 

This  has  already  paid  off.  One  day,  man¬ 
agement  expressed  concerns  that  certain 
gray-market  organizations  were  selling  our 
products  and  causing  confusion  in  the  local 
market,  but  they  didn’t  know  if  the  items 
were  counterfeit  products  or  authentic 
ones  that  somehow  came  from  one  of  our 
distributors.  My  team  was  able  to  respond 
rapidly  by  having  one  of  our  existing  secu¬ 
rity  vendors  investigate.  That  vendor  con¬ 
ducted  site  visits,  product  buys  and  quality 
documentation  for  litigation  purposes,  and 
the  information  was  then  hand-wrapped 
and  delivered  to  our  legal  department. 

In  another  case,  a  newly  forged  relation¬ 
ship  between  one  of  our  security  agents  and 
local  law  enforcement  allowed  us  to  identify 
the  movement  of  counterfeit  goods.  One  of 
our  security  team’s  normal  business  prac¬ 
tices  has  always  been  to  develop  strong 


relationships  with  law  enforcement  orga¬ 
nizations  at  the  local  and  national  levels; 
now,  we’re  leveraging  these  relationships  to 
establish  new  ones  with  customs  and  trade- 
enforcement  organizations.  Recently,  a  case 
in  the  United  Kingdom  resulted  from  a  rela¬ 
tionship  our  London-based  executive  had 
developed  with  members  of  the  Trading 
Standards  Service.  A  Trading  Standards 
Service  officer  called  our  security  agent 
with  a  tip  and  asked  if  we  wanted  to  pursue 
the  case.  This  resulted  in  the  identification 
of  a  counterfeiting  ring  that  was  importing 
counterfeits  from  China  and  distributing  in 
select  cities  in  the  United  Kingdom. 

By  leveraging  some  of  security’s  core 
competencies,  the  company  has  realigned 
responsibilities  and  improved  the  produc¬ 
tivity  of  at  least  two  departments.  Security 
is  supporting  anticounterfeiting  operations 
as  a  value-add  to  its  traditional  mission. 
Meanwhile,  the  company’s  legal  depart¬ 
ment  has  been  able  to  shift  its  resources  to 
priorities  that  require  counsel— areas  such 


as  real  estate,  labor  law  and  copyright  and 
trademark  registration. 

In  addition,  leveraging  security’s 
infrastructure  has  assured  the  company  a 
greater  degree  of  expense  control  in  anti¬ 
counterfeiting  initiatives  that  involve  the 
use  of  third  parties.  That’s  because  security 
is  able  to  manage  the  operations  and  deliv¬ 
erables  of  the  vendors  more  closely  than 
the  legal  department  was  realistically  able 
to  do.  In  the  world  of  brand  protection,  dol¬ 
lars  can  easily  funnel  into  a  black  hole,  but 
a  nonrevenue-producing  operations  team 
like  our  security  organization  can  apply  its 
aggressive  fiduciary  responsibilities  across 
all  its  disciplines.  It’s  what  we  do. 

Also,  there’s  been  a  fundamental  shift 
in  the  company’s  anticounterfeiting  phi¬ 
losophy.  Without  sacrificing  the  benefits  of 
litigation,  the  company  is  now  embracing  a 
focus  on  results.  While  our  anticounterfeit¬ 
ing  operations  are  not  a  solution— the  coun¬ 
terfeiting  problem  is  not  going  away  for 
any  trademark  holder— our  emphasis  on 
results  is  bringing  to  light  the  level  of  expo¬ 
sure  the  company  has  to  counterfeits  in 
the  marketplace  while  also  demonstrating 
significant  improvements  in  the  number  of 
counterfeit  items  that  are  being  seized  and 
removed  from  the  public’s  eye.  This  is  great 
for  our  business  and  our  customers  and  a 
nice  “protecting  our  brand”  message  our 
company  can  share  proudly. 

Last  but  not  least,  extending  anticoun¬ 
terfeiting  to  become  part  of  the  security 
mission  has  resulted  in  unanticipated  ben¬ 
efits  for  security.  Counterfeits  strike  at  the 
heart  of  our  customers,  our  employees  and 
our  stakeholders,  engendering  a  passion 
to  take  action  to  eliminate  or  at  least  con¬ 
tain  the  effects  of  counterfeits.  As  a  secu¬ 
rity  group,  we  can  harness  that  passion. 
The  security  department  has  been  able  to 
enhance  its  image  as  a  positive  and  valuable 
discipline  within  the  broader  company.  The 
security  department’s  employees  can  be 
seen  as  more  valuable  members  of  the  com¬ 
pany.  Now,  local  security  agents  are  able  to 
use  the  enthusiasm  for  our  anticounterfeit¬ 
ing  efforts  to  gain  a  greater  acceptance  of 
overall  security  across  the  entire  business 
channel.  Maybe  now  our  mantra  should  be, 
“Asset  protection  is  everyone’s  job!”  ■ 


Undercover  is  written  by  an  anonymous  CSO. 
Send  feedback  to  csoundercover@cxo.com. 


There’s  been  a  fundamental  shift  in 
the  company’s  anticounterfeiting 
Dhilosophy.  Without  sacrificing  the 
benefits  of  litigation,  the  company  is  now 
embracing  a  focus  on  results. 


March  2008  www.csoonline.com  37 


[  INDUSTRY  VIEW] 

By  Christopher  Burgess 


Spy  Versus  Spy 

A  CIA  veteran  looks  at  today’s  shrill  warnings 
of  nation-based  economic  espionage 


Throughout  2007,  we  saw  numer¬ 
ous  governments  striking  the 
alarm  bells  and  warning  all: 
“Protect  yourself!  The  thieves 
are  coming!”  These  warn¬ 
ings  of  nation-state-sponsored  industrial 
espionage  have  truly  reached  critical  levels. 
The  warnings  are  applicable  to  all  nations, 
industrial  sectors  and  companies,  and  are 
quickly  followed  by  yet  another  govern¬ 
ment  standing  up  a  new  or  improved  coun¬ 
terespionage  entity  in  order  to  protect  its 
country’s  interests. 

The  playing  field  is  crowded  with  actors 
both  new  and  old,  exceeding  any  level  of 
activity  previously  encountered,  including 
the  apex  of  the  Cold  War— when  geopolitical 
and  ideological  battle  lines  truly  existed  but 
the  current  level  of  global  communications 
infrastructure  did  not.  It  is  this  enhanced 
infrastructure  that  has,  in  essence,  leveled 
this  playing  field  of  industrial  espionage  for 
all  the  nation-states. 

More  than  eight  years  since  the  climax 
of  the  Cold  War,  the  threat  of  industrial  and 
economic  espionage  has  percolated  again  to 
the  forefront.  The  tools  of  the  intelligence 
collector  are  being  dusted  off  and  put  to 
use  in  what  is  referred  to  as  the  “second- 
oldest  profession.”  Nations  are  willing  to 
make  the  political  decision  to  support  their 
indigenous  companies  with  the  provision 
of  competitors’  intellectual  property  the  old- 
fashioned  way:  They  will  just  take  it. 

In  mid-October  2007,  the  U.S.  Depart¬ 
ment  of  Justice  compiled  and  released 
“Fact  Sheet:  Major  U.S.  Export  Enforce¬ 
ment  Actions  in  the  Past  Year,”  which 
summarized  the  32  major  cases  (October 
2006-October  2007)  of  illegal  export  of  U.S. 
technologies.  Interestingly,  the  number  of 
countries  identified  totaled  10,  with  Iran 


and  China  each  responsible  for  approxi¬ 
mately  a  third  of  the  cases.  Equally  inter¬ 
esting  is  that  none  of  the  cases  involving 
Iran  were  characterized  as  espionage.  Of 
the  four  cases  that  were  identified  as  espio¬ 
nage,  all  named  China  as  the  nation-state 
sponsor.  Equally  remarkable:  Russia  does 
not  appear  in  the  Fact  Sheet.  This  is  espe¬ 
cially  noteworthy  given  Russian  President 


Vladimir  Putin’s  October  2007  call  to  for¬ 
mer  Prime  Minster  Mikhail  Fradkov,  the 
new  head  of  Russia’s  external  intelligence 
service,  SVR,  to  build  up  economic  espio¬ 
nage  capabilities. 

It  is  clear,  nevertheless,  that  two  coun¬ 
tries  are  most  invested  in  the  illicit  acqui¬ 
sition  of  advanced  technologies  from 
companies,  research  institutes  and  enter¬ 
prises,  to  advance  their  own  economies 
and  to  provide  data  points  for  their  own 
national  security  strategies.  Those  coun¬ 
tries  are  China  and  Russia. 

So  how  do  we  go  about  protecting 
ourselves  as  commercial  entities?  The 
U.S.  FBI’s  Domain  Program  is  focused  on 
protecting  those  companies  with  U.S.  gov¬ 


ernment  contracts.  The  National  Counter¬ 
intelligence  Executive  notes  that  classified 
briefings  are  provided  to  such  entities 
(albeit  with  the  expectation  that  enterprises 
involved  in  classified  government  work 
should  be  ready  and  willing  to  work  with 
the  FBI  to  protect  company  assets). 

What  about  the  majority  of  U.S.  busi¬ 
nesses  not  involved  in  government  work? 
Perhaps  the  FBI’s  Domain  Program  will 
evolve  to  be  the  avenue  by  which  individ¬ 
ual  U.S.  companies  will  be  provided  the 
necessary  data  points.  But  the  FBI  Domain 
Program  is  a  U.S.-centric  capability.  What 
is  the  multinational  corporation  to  do?  Will 
other  nations  follow  the  FBI’s  lead? 

It  is  not  enough  to  say  to  companies, 
“This  nation  or  that  nation  is  a  threat  to  you” 
and  “You  should  tighten  up  your  intellec¬ 
tual  property  security.”  Nor  is  it  sufficient 
to  warn  that  the  “insider  is  a  threat,  espe¬ 
cially  from  those  who  are  foreign  nation¬ 
als.”  How  ludicrous  is  this  advice?  Insiders 
are  universally  recognized  as  those  closest 
to  that  which  is  valued.  And  what  multi¬ 
national  company  does  not  have  a  mix  of 
nationalities? 

More  appropriately,  governments  must 
find  a  means  to  step  forward  and  iden¬ 
tify  the  modus  operandi  of  the  offending 
nations.  Only  then  will  companies  be  in  a 
position  to  recognize  the  indicators  of  the 
threatening  nation  and  perhaps  succeed 
in  protecting  themselves.  If  this  should 
occur  in  2008,  perhaps  we  won’t  have  such 
a  robust  list  of  economic  espionage  events 
to  talk  about  at  the  end  of  the  year.  ■ 


Christopher  Burgess  is  a  30-year  CIA  veteran 
and  currently  serves  as  senior  security  adviser 
to  a  Fortune  100  company.  Contact  him  at 
cburgess@att.net. 


38  www.csoonline.com  March  2008 


Secure  Sensitive  Information  With 
Protegrity's  Defiance®  Security  Suite. 


Fulfilling  your  obligation  to  protect  sensitive  data  protects  your  business.  It  keeps  your 
brand  safe.  It  helps  you  comply  with  regulations.  It  safeguards  your  employees 
and  customers. 

Protegrity  is  proud  to  deliver  the  Defiance®  Security  Suite,  a  comprehensive  Data  Security 
Management™  solution  designed  to  protect  data,  protect  web  applications,  and  centrally 
manage  and  report  on  security  policy.  Defiance®  Security  Suite  meets  the  unique 
requirements  of  the  distributed  enterprise  allowing  for  organization-wide  administration 
from  a  single  point,  encryption,  key  management,  separation  of  duties,  web  application 
firewalls,  and  management  and  compliance  reporting. 

To  learn  more  about  Defiance®  Security  Suite  contact  Protegrity  at  203-326-7200 
or  visit  www.protegrity.com. 


^  protegrity 

Protecting  your  data. 
Protecting  your  business 


[  debriefing] 

Electric  Mixer 


Taser  Party 


- — 

1  1 

l; 

: 

' 

1 

r\ ' 

■ 

1 

“Welcome  to  the  Taser  party.  On  the  coffee  table,  Dana  Shafman 
spreads  out  laser’s  C2  ‘personal  protection’  weapons  that 
the  company  is  marketing  to  the  public,  it  doesn’t  take  long 
before  the  women  are  lined  up  in  the  hallway,  whooping  as 
they  take  turns  blasting  at  a  metallic  target....  Shafman  is  an 
independent  entrepreneur  who’s  been  selling  Tasers  the  way  her 
mother’s  generation  sold  plastic  food  storage  containers.” 

- Associated  Press  1/7/08 


TO:  Lynnie,  Hopper,  Butterworth, 

Izzie,  Jane,  Scarlett 
FROM:  LisaD 
SUBJECT:  Taser  Party 

Ladies!  Well,  Lynnie’s  welts  have  healed  for  the 
most  part,  and  her  hair  has  grown  back.  You 
can  hardly  notice  anymore.  So  we’re  ready  to 
try  the  taser  party  again.  This  time,  one  glass 
of  Pinot  Grigio  only!  Todd  the  Hottie  Taser 
Guy  tells  me  the  leopard-print  taser  is  in,  but 
quantities  are  limited. 

How  about  Friday  at  my  house?  7  p.m.?  Be 
ready  to  tase  the  night  away!  Woohoo! 

-LisaD 


TO:  LisaD,  Lynnie,  Butterworth, 

Izzie,  Jane,  Scarlett 

FROM:  Hopper 

SUBJECT:  RE:  Taser  Party 

I’ll  be  there!  I  heard  the  new  holsters  play 

MP3s  now,  too!  I’m  SOOO  getting  one!  Also,  I’m 

bringing  Mike’s  golf  clubs  to  use  as  one  of  our 

targets.  Nothing  will  be  more  fun  than  playing 

I  Will  Survive  while  dropping  50,000  volts  on 

his  putter.  I’ll  explain  Friday  night. 

See  youthen! 

-Hopper 

P.S.  Leopard  print?  Tacky!  Make  sure  they 
have  the  navy  one  with  white  polka  dots. 


TO:  LisaD,  Hopper,  Butterworth, 

Izzie,  Jane,  Scarlett 
FROM:  Lynnie 

SUBJECT:  RE:  RE:  Taser  Party 
Can’t  wait  for  the  taser  party!  LisaD,  sorry 
again  about  last  time.  I  promise  not  to  jump 
in  front  of  the  metal  target  this  time,  even 
though  I  still  say  Jane  totally  shot  on  purpose, 
just  to  see  what  would  happen.  The  last  time 
I  felt  that  sick  was  at  Scarlett’s  wedding 
when  Hopper  made  me  do  those  Alabama 
Slammers! 

Anyway,  I  hope  the  candles  I  sent  helped 
get  rid  of  that  singed  hair-and-carpet  smell. 

BTW,  does  anyone  know  about  the  legality 
of  tasing  raccoons?  They’re  all  over  my  trash. 
I’d  love  to  see  the  look  in  their  masked  little 
eyes  when  I  deliver  some  electric  justice!  Any¬ 
way,  if  you  could  find  out  that’d  be  great. 
-Lynnie 

TO:  LisaD,  Lynnie,  Butterworth, 

Izzie,  Hopper,  Scarlett 
FROM:  Jane 

SUBJECT:  RE:  RE:  RE:  Taser  Party 
Lynnie,  Don’t  tase  me  bro!!!  LOL!!! 

TO:  Lynnie,  Butterworth,  Izzie, 

Hopper,  Scarlett,  Jane 
FROM:  LisaD 

SUBJECT:  RE:  RE:  RE:  RE:  Taser  Party 
Okay,  ladies,  settle  down!  Just  found  out  Todd 
the  Hottie  Taser  Guy  is  taken. :( Not  only  that, 
his  girlfriend  has  a  limited-edition,  metallic, 
pearl  taser  with  matching  MP3-playing  holster 
and  matching  deluxe  recharging  bay!  I  want 
one!! :( 

Todd  also  told  me  the  new  models  include 
laser  aiming.  Just  line  up  the  red  dot  where 
you  want  the  welt  and  watch  as  the  nervous 
system  is  disrupted  by  violent  pulses  of  cur¬ 
rent.  You’ll  know  it’s  working  when  you  hear 
The  Famous  Taser  ZZZZP! 

See  you  Friday.  Bring  your  checkbooks! 
-LisaD 


40  www.csoonline.com  March  2008 


Illustration  by  Edd  Patton 


7-1 1  April  2008 
Dallas, 

Texas,  USA 

9-13  June  2008 
Vancouver, 
British  Columbia, 
Canada 

23-27  June  2008 
Minneapolis, 
Minnesota,  USA 


[raining  Week  is  one  of  ISACA’s  most  popular  training 
ivents.  Each  features  distinct  programs  that  appeal  to  a 
vide  variety  of  IT  audit,  assurance,  control,  security  and 
governance  professionals. 

Esteemed  instructors  combine  lecture,  case  study,  class 
discussion  and  group  exercises  for  a  full  week  of  study 

and  up  to  38  CPE  Credits. 


Programs  offered: 

I  Fundamentals  of  IT  Auditing  . All  Locations 

I  Information  Security  Management  ...  All  Locations 
I  IT  Audit  Practices  . Da,las  and  Vancouver 


New! 

CobiT:  Strategies  for  Implementing 

IT  Governance . Minneapolis  Only 


Register  online  now! 

www.isaca.org/trainingweek 


i >  »'<  iV«  i. 


Sustainable  and  market-leading  growth  are  dependent  on  a  business-aligned  security 
strategy.  IBM  flexible  and  adaptable  security  solutions  are  tailored  to  fit  your  specific  business 
needs,  and  can  help  you  to  keep  ahead  of  security  threats  and  proactively  manage 
security  risks  while  effectively  supporting  your  compliance  and  business  requirements. 
To  find  out  more  please  visit  IBM  in  Windsor  A. 


IBM  and  the  IBM  logo  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United  States,  other  countries,  or  both.  ©  Copyright  IBM  Corporation  2008.  All  rights  reserved.  P20157 


